Necessity  of  new  IETF 
switching,  routing 
specs  questioned 

BYJIM  DUFFY 

TWO  HIGH-PROFILE  specifications  winding  their  way 
through  the  IETF  promise  to  boost  data  center  switching 
and  service  provider  routing,  but  advances  from  Cisco  and 
Juniper  Networks  raise  questions  about  how  much  the  specs 
are  even  needed. 

For  switching,  the  IETF  is  working  on  Transparent  Inter¬ 
connection  of  Lots  of  Links  (TRILL),  which  is  intended  to 
overcome  limitations  of  the  Spanning  Tree  protocol  in  scale 

►  See  Switching,  page  12 
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ALISTAIR  RENNIE, GENERAL  MANAGER 
OF  LOTUS  SOFTWARE  FOR  IBM 


BYTIM  GREENE 


Six  products  that  deliver  cost  savings, 
reliable  WAN  links,  and  advanced 
security  for  branch  offices.  Page  22  ► 


IBM  PLANS  to  introduce  a  variety  of  collaboration  tools  to 
mobile  platforms  in  an  effort  to  create  full-featured  unified 
communications  endpoints. 

Initially  these  mobile  tools  will  enable  calling  features  that, 
for  example,  determine  the  least  expensive  mode  for  making  a 
phone  call,  but  that  will  be  expanded  to  include  the  full  range 
of  IBM  collaboration  and  conferencing  features,  said  Alistair 
Rennie,  general  manager  of  IBM  Lotus  during  an  interview 
at  IBM’s  new  and  sprawling  software  development  facility  in 
Littleton,  Mass.  With  the  most  recent  release  of  Lotus  Same- 
Time  Unified  Communications  collaboration  software  last 
week,  the  platform  now  supports  BlackBerry  5.0  and  Micro¬ 
soft  Windows  Mobile  6.5  clients. 

►  See  IBM, page  16 


//  It’s  not  about 
I  feeds  and  speeds 
but  about  transforming 
business  functions.” 
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IBM  to  expand 
mobile  unified 
communications 


Redefining  X. 


When  an  organization  needs  more  computing  power  for  today’s  memory- intensive  workloads,  the  conventional 
wisdom  is  to  buy  more  servers.  This  can  lead  to  massive  inefficiency  and  server  sprawl,  with  the  majority  of 
servers  today  running  at  only  10%  utilization;  As  the  computational  demands  of  a  smarter  planet  continue  to 
explode,  this  sort  of  inefficiency  has  become  a  problem— a  problem  IBM  engineers  have  now  solved. The  5th 
generation  of  Enterprise  X-Architecture®  from  IBM  featuring  the  Intel®  Xeon®  Processor  7500  Series  lets  you  add 
memory  independently  of  the  processor.  As  a  result,  IBM  eX5  systems  can  leverage  6x  more  memory  than 
current  x86  servers,  reduce  storage  costs  by  up  to  97%  and  cut  licensing  fees  by  50%: 


A  smarter  business  needs  smarter  software,  systems  and  services. 
Let’s  build  a  smarter  planet,  ibm.com/systems/ex5 
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Powerful. 

Intelligent. 


1 .  McKinsey  study:  http://www.datacenterknowledge.eom/archives/2009/04/1 5/mckinsey-data-centers-cheaper-than-cloud/.  2.  Comparison  of  IBM  System  x3850  X5  +  MAX5  with  total  96  DIMMs  x  1 6  GB  for  total  1 .5  TB  of  memory 
vs.  IBM  System  x3850  M2  with  32  DIMMs  x  8  GB  =  256  GB.  Comparison  of  processor-based  licensing  fees  on  current  Generation  4  processor  systems  with  64  DIMMs  vs.  the  IBM  System  x3690  +  MAX5.  IBM  eXFIash  technology  would 
eliminate  the  need  for  a  client  to  purchase  two  entry-level  servers  and  80  JBODs  to  support  a  240,000  lOPs  database  environment,  saving  up  to  97%  in  server  and  storage  acquisition  costs.  IBM,  the  IBM  logo,  ibm.com,  X-Architecture, 
Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtmi; 
Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  or  registered  trademarks  of  Intel  Corporation  in  the  United  States  and  other  countries.  ©  International  Business  Machines  Corporation  2010. 
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Living  with  infection 

Even  as  average  enterprise  security  spending 
has  risen  over  the  years  from  2%  of  the  total  IT  bud¬ 
get  to  10%,  the  percentage  of  compromised  corporate 
machines  has  also  climbed,  now  up  to  7%  to  9%  by 
some  estimates. 

As  good  as  we  have  gotten  at  fighting 
the  well-known  stuff  —  say  the  Zeus/ 

ZDbot  and  Koobface  botnets  —  the 
targeted,  more  stealthy  attacks  typically  go  undetected. 

The  point  is,  your  network  is  likely  infected. 

Damballa,  a  company  that  makes  tools  to  detect  the 
command  and  control  communications  used  to  run  bot¬ 
nets,  says  every  company  it  has  done  proof-of-concept 
demos  for  has  been  infected.  All  of  them. 

Andreas  Antonopoulos,  a  senior  vice  president  of 
Nemertes  Research,  says  the  bad  guys  control  more 
than  5  million  machines  in  what  he  calls  dark  cloud  computing.  The  more  targeted 
attacks  are  hard  to  pick  up  because  the  perpetrators  take  their  time,  using  bots  to 
subvert  a  little  at  a  time,  then  using  that  knowledge  to  subvert  some  more. 

Long  duration  is  now  even  the  norm  with  old-style  attacks,  says  Jim  Maloney, 
president  and  CEO  of  consultancy  Cyber  Risk  Strategies,  and  formerly  head  of  secu¬ 
rity  for  Barclays  and  Amazon.com.  In  a  Webcast  sponsored  by  Bit9,  Maloney  pointed 
out  that  Operation  Aurora  originally  directed  at  Google  spanned  nine  months. 

Maloney  says  forensics  after  one  bank  breach  revealed  the  crooks  would  wait 
two  to  three  weeks  between  each  step  in  their  attack.  It  started  with  a  low-level, 
quiet  scan,  which  was  followed  by  a  noisier  scan,  then  the  attackers  lobbed  a  text 
file  on  the  bank’s  Web  site,  then  eventually  put  a  tool  on  the  site  that  allowed  them 
to  pull  down  one  customer  record,  then  10  and  so  on. 

Regardless  of  the  style  of  attack,  we  always  seem  to  be  a  step  behind,  Maloney 
says.  He  argues  that  we  need  to  make  the  systems  security  model  more  informa¬ 
tion-centric,  more  proactive,  and  he  uses  this  maturity  model  to  help  clients  figure 
out  where  they  are  today: 

■  In  terms  of  how  their  security  program  is  run,  he  asks  clients  where  they  stand 
on  the  continuum  between  being  proactive  vs.  reactive,  being  strategic  vs.  tacti¬ 
cal,  and  between  viewing  security  as  a  people/process/technology  challenge  vs. 
simply  a  tech  problem. 

■  Then  he  asks  if  the  business  views  the  security  program  as  an  investment  or  a 
cost,  and  an  enabler  or  a  business  inhibitor. 

The  trick,  he  says,  is  to  tip  these  scales  to  the  left.  The  technologies  he  likes  that 
will  help  move  us  forward  include  techs  that:  use  general  behavior  and  rules  vs. 
specific  signatures  (although  you  still  need  those  too);  prevent  compromise  vs. 
detect  it;  and  provides  actionable  intelligence  not  just  data. 

The  bad  guys  are  patient.  We  can’t  afford  to  be. 

jdix@nww.com 

Twitter.com/JDNWW 
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Oracle  blind  to 
OpenSolaris  potential 

©  THE  BEST  THINGS  these  developers 
can  do  in  the  light  of  a  lack  of  support  is  to 
help  roll  the  code  into  Linux  or  freeBSD. 

If  Oracle  management  isn’t  bright 
enough  to  see  the  great  projects  coming 
out  of  the  open  source  movements,  then 
Fork  'em.  (Re:  OpenSolaris  To  Oracle: 
Fork  Off;  tinyurl.com/3ydcnmx.) 

The  Linux  community  would  ben¬ 
efit  greatly  from  many 
pieces  of  OpenSolaris, 
my  current  favorites  are 
ZFS  and  COMSTAR. 

With  enterprise  class 
free  components  from 
OpenSolaris,  the  *NIX 
community  as  a  whole 
would  move  forward 
yet  again  in  a  grand  leap 
to  overtake  the  database 
and  storage  platforms 
for  years  to  come. 

In  the  end,  this 
could  be  a  great  thing 
for  the  open  source 
community  as  the 
lines  merge  again  and  OpenSolaris  over¬ 
throws  its  corporate  master,  which  for 
some  reason  wants  to  bite  the  hand  that 
would  keep  feeding  it.  In  the  end,  I  hope 
the  community  welcomes  this  exodus 
with  open  arms.  RIP  SUN;  I  barely  got  to 
know  thee. 

Anon 

No  such  thing  as  a 
hack-proof  phone 

€>  UNIX/LINUX  WAS  BUILT  from  the 
ground  up  in  the  late  60’s  with  security 
as  a  priority  and  a  key  ingredient  right  up 
front.  While  certainly  not  perfect,  it  is  very 
mature.  And  it’s  not  just  about  the  OS  itself. 
(Re:  Unhackable  Android  phone  can  be 
hacked;  tinyurl.com/2ww2vc3.) 

The  demographic  for  this  OS  are  people/ 
companies  who  generally  have  a  better 
understanding  of  the  threats,  the  impor¬ 
tance  of  effective  security  and  are  willing 
to  sacrifice  some  convenience  to  maintain 
a  more  secure  system. 

DOS/Windows  was  built  in  the 
80s/90s,  and  any  concept  of  security 
came  later  as  a  bolt-on  afterthought. 
Windows  security  today,  even  though  it’s 
more  “built-in”  now,  would  still  be  gener¬ 
ally  regarded  as  less  mature,  less  well 


thought  out,  and  less  effective.  Examples 
of  Microsoft’s  boneheaded  approach  to 
security  abound.  Further,  security  often 
takes  a  back  seat  to  backward  compat¬ 
ibility  and  customer  convenience.  They 
have  to  sell  this  OS  to  the  general  public , 
after  all,  and  the  general  public  often  gets 
annoyed  with  security  features  he  doesn’t 
understand. 

But  as  has  increasingly  been  noted, 
having  a  “secure  OS”  is  only  part  of 
the  picture.  A  large 
percentage  of  security 
issues  these  days  result 
from  users  doing  very 
risky  things. 

More  to  the  point, 
how  does  one  make 
a  PC,  smartphone  or 
other  OS-based  device 
fully  “idiot  proof”? 

If  a  user  chooses  to 
grant  permissions  to 
a  new  app  when  they 
shouldn’t  —  whether 
it’s  Android,  Windows 
2007,  or  whatever 
—  how  can  that  be 
effectively  prevented?  And  yes,  if  this  were 
Windows  Phone  7  under  the  bright  lights 
right  now,  I  would  cut  them  some  slack  for 
this  too. 

Anon 

Enterprise  mobility  opens 
door  to  anonymous  spam 

O  ONE  PROBLEM  WITH  mobile  systems  is 
increased  anonymity  of  the  source.  If  the 
company  has  entered  a  wrong  number 
in  their  system,  then  someone  could  be 
bombarded  with  spam  and  have  little 
ability  to  get  it  stopped.  (Re:  Enterprises 
are  embracing  mobile  devices;  tinyurl. 
com/36vvg9a.) 

My  wife’s  phone  receives  SO  to  120 
text  messages  each  week  day  and  about 
half  as  many  each  weekend  day.  The 
messages  are  from  someone’s  IT  orga¬ 
nization  detailing  failing  servers  and 
applications  around  the  world. 

Unfortunately,  there  isn’t  sufficient 
information  in  the  sender  field  to 
identify  the  source  of  these  messages. 
Nor  is  there  sufficient  information  in  the 
content  to  track  down  the  source  (but  I 
sure  know  a  lot  about  the  failability  of 
this  IT  organization). 

Anon 


How  does  one 
make  a  PC, 
smartphone  or 
other  OS-based 
device  fully 
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Linux  kernel  gets 
Google  juice 

THANKS  TO  A  pairof  proto¬ 
cols  developed  by  Google,  the 
new  version  of  the  Linux  kernel 
should  be  able  to  speed  net¬ 
work  throughput  considerably. 

Google’s  Receive  Packet  Steering  technology  spreads  incoming 
packets  across  all  of  the  CPUs  available  on  the  machine,  and 
Receive  Flow  Steering  calculates  which  cores  would  be  best 
suited  for  processing,  given  factors  such  as  which  applications 
will  be  using  the  packets.  Other  new  features  in  Linux  version 
2.6.35  include  a  new  form  of  memory  compression;  a  front-end 
for  a  debugger  supplied  by  SGI;  the  ability  to  manage  multiple 
multicast  route  tables;  and  a  new  mode  of  the  XFS  file  system 
that  bundles  logging  tasks  in  order  to  cut  down  input/output 
traffic,  tinyurl.com/2wa8w6g 


iiiHiiiiiiimnmiimimiiiiiiiiiiiiimiiiiiiiiiiimfiiim 


What  server 
market  recovery? 

DESPITE  PROCLAMATIONS 

that  budgets  are  opening  up, 
server  spending  remains  weak 
as  companies  continue  to  look 
for  ways  to  save  money,  includ¬ 
ing  using  virtualization  to  cram 
more  workloads  on  existing 
boxes.  According  to  research 
firm  ThelnfoPro,  38%  of  compa¬ 
nies  plan  to  reduce  their  server 
budgets,  while  only  25%  plan  to 
spend  more.  The  firm  also  found 
that  Oracle  is  the  most  vulner¬ 
able  of  all  server  vendors  (they 
bought  Sun,  remember)  because 
of  discontented  customers. 
ThelnfoPro  reports  that  26%  of 
Oracle’s  customers  are  consider¬ 
ing  leaving  for  a  competitor 
and  21%  already  plan  to  leave. 
tinyurl.com/355ped9 


Facebook 
thumbs  nose 
at  Greenpeace, 
doubles  size  of 
data  center 

FACEBOOK  HAS  decided  to 
double  the  size  of  its  first  wholly 
owned  data  center  before  the  first 
part  of  the  project  is  even  built. 
Facebook’s  147,000-square- 


foot  facility  is  under  construc¬ 
tion  in  Prineville,  Ore.,  and 
the  company  decided  to  add 
another  160,000  square  feet  to 
the  project.  Greenpeace  won’t  be 
thrilled  at  the  expansion  plans, 
having  criticized  Facebook  for 
choosing  a  site  where  the  local 
power  company  generates  most 
of  its  electricity  using  coal-fired 
plants.  Facebook  maintains 
that  it  picked  Oregon  because  of 
its  dry  and  temperate  climate, 
which  allows  it  to  use  more 
energy-efficient  evaporative 
cooling  instead  of  a  mechanical 
chiller,  tinyurl.com/354buqr 

$1.2  billion 
earmarked  for 
rural  broadband 

THE  U.S.  Department  of  Agri¬ 
culture’s  Rural  Utilities  Service 
(RUS)  has  announced  $1.2  bil¬ 
lion  in  grants  and  loans  for  126 
broadband  deployment  projects 
in  38  states  and  tribal  areas.  The 
funding  will  enable  telemedi¬ 
cine  and  distance  learning  and 
allow  farmers  and  ranchers  to 
get  up-to-the-minute  informa¬ 
tion  on  weather  and  commodity 
prices,  says  Tom  Vilsack,  U.S. 
secretary  of  agriculture.  The 
new  awards  include  grants  for 
deploying  WiMAX,  fiber  and 
DSL.  The  RUS  has  now  distrib¬ 
uted  more  than  $2.6  billion  in 
broadband  grants  and  loans 
through  the  American  Recovery 
and  Reinvestment  Act  passed  by 
Congress  in  early  2009.  tinyurl. 
com/37jq2xh 


Android  wins 

popularity 

contest 

A  recent  study  shows  that 
Android-based  phones 
are  more  popular  than  the 
iPhone.  But  RIM  Black- 
Berry  beats  them  both. 
tinyurl.com/2ubv6qw 


Extreme  fills 
CEO  position 


EXTREME  REPLACED  CEO 

Mark  Canepa  last  fall  with 
acting  CEO  Bob  Corey  (who 
will  continue  as  CFO)  and  laid 
off  10%  of  its  workforce  after 
coming  up  18%  short  on  its  first 
quarter  revenue  targets.  Now  it 
has  named  Oscar  Rodriguez  as 
president  and  CEO,  luring  him 
away  from  Movius  Interactive, 
a  privately  held  developer  of 
messaging,  collaboration  and 
mobile  media  products  for 
service  providers.  Before  join¬ 
ing  Movius  as  CEO,  Rodriguez 
held  senior  executive  positions 
at  Alcatel-Lucent’s  Enterprise 
Business  Group,  Riverstone 
Networks  and  Nortel  Net¬ 
works’  Enterprise  Solutions 
division.tinyurl.com/3658o7l 


Stuxnet  worm 
not  new  after  all 

ITTURNSoutthe  Stuxnet  worm 
that  made  headlines  a  few  weeks 
ago  has  been  around  longer  than 
researchers  first  thought.  The 
worm  is  notable  not  only  for  its 
technical  sophistication,  but  also 
for  the  fact  that  it  targets  indus¬ 
trial  control  systems  designed  to 
run  factories  and  power  plants. 
Researchers  at  Symantec  say 
that  they’ve  identified  an  early 
version  that  was  created  in  June 
2009  and  acts  in  the  same  way  as 
its  current  incarnation  —  it  tries 
to  connect  with  Siemens  SCADA 
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GOOD  BAD  I  UGLY 


FTC,  Intel  settle 

INTEL  HAS  reached  a  proposed 
settlement  with  the  Federal  Trade 
Commission  in  the  agency’s 
antitrust  complaint,  with  Intel 
prohibited  from  giving  computer 
makers  benefits  for  exclusively  using  its  chips. 

The  settlement  also  prohibits  Intel,  the 
world's  largest  chip  maker,  from  retaliating 
against  computer  makers  if  they  do  business  with 
other  suppliers. 


BlackBerry  not  welcome 
here,  or  there,  or... 

SAUDI  ARABIA  and  the  United  Arab  Emirates 
announced  plans  to  ban  certain  BlackBerry  ser¬ 
vices,  such  as  the  Mes¬ 
senger  function,  due 
to  security  concerns. 

Indonesia  also  was  mull¬ 
ing  a  ban  such  services. 

The  countries  aren’t  satis¬ 
fied  with  Research  in  Motion’s 
system  of  processing  mes¬ 
sages  on  servers  outside 
these  countries. 

Unions  not 
big  Michael  Dell  fans 

TWO  LABOR  unions  have  asked  Dell  shareholders  to 
withhold  their  votes  for  Chairman  and  CEO  Michael 
Dell  to  remain  as  a  director  on  the  company’s  board 
following  a  $100  million  accounting  practices 
settlement  the  company  made  with  the  U.S. 
Securities  and  Exchange  Commission. 

The  AFL-CIO  and  American  Federation  of 
State,  County,  and  Municipal  Employees,  in  a 
letter  to  shareholders,  also  suggest  that  Michael 
Dell’s  executive  compensation  package  was  exces¬ 
sive  during  the  past  decade.  Dell,  who  founded  the 
company  in  1984,  received  more  than  $450  million, 
including  money  through  stock  option  sales,  from  his 
company  from  2000  to  2009,  while  his  company’s 
stock  value  dropped  66%in  the  same  time  period, 
the  labor  unions  said  in  the  letter. 

"Based  on  the  allegations  in  the  SEC’s  complaint 
against  our  Company  and  Michael  Dell,  we  believe 
that  shareholders  would  be  better  served  by  the 
removal  of  Michael  Dell  as  the  Chairman  of  our  Com¬ 
pany's  Board  of  Directors,”  the  letter  said. 
“By  voting  to  ’WITFIHOLD’  from 
Michael  Dell,  you  can  encourage  the 
Board  of  Directors  to  appoint  a  new 
Chairman." 
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management  systems 
and  steal  data  —  but 
it  does  not  use  some  of 
the  newer  worm’s  more 
remarkable  techniques  to 
evade  antivirus  detection. 

The  malicious  software  was 
made  more  sophisticated  in  the 
early  part  of  2010,  said  Roel 
Schouwenberg,  a  researcher 
with  Kaspersky  Lab.  “This  is 
without  any  doubt  the  most 
sophisticated  targeted  attack 
we  have  seen  so  far,”  he  says 
of  the  current  threat,  tinyurl. 
com/35tfpk9 

Google  Wave 
washes  out 

ONLY  A  year  after  its  release, 
Google  is  pulling  the  plug  on  its 
Google  Wave  social-network 
service.  The  company  will  main¬ 
tain  the  service  through  the  end 
of  the  year  and  then  roll  aspects 
of  it  into  other  Google  projects. 
“Wave  has  not  seen  the  user 
adoption  we  would  have  liked,” 
blogged  Urs  Holzle,  Google 
senior  vice  president  for  opera¬ 
tions.  Despite  the  company’s 
many  attempts  to  explain  it  to 
the  public,  few  latched  onto 
the  purpose.  A  “Web  app  for 
real  time  communication  and 
collaboration,  it  set  a  high  bar 
for  what  was  possible  in  a  Web 
browser,”  he  said.  “We  weren’t 
quite  sure  how  users  would 
respond  to  this  radically  differ¬ 
ent  kind  of  communication.” 
Sure,  blame  us.  More  like  the 
idea  was  half  baked  from  the  get 
go.  tinyurl.com/332yx8p 


Life  saving 
iPhone  apps 

MOVE  OVER  games  and  make 
room  for  medicine.  Developers 
are  tapping  into  a  treasure  trove 
of  U.S.  government  healthcare 
data  and  coming  up  with  iPhone 
apps  that  help  consumers 
make  better  medical  decisions. 
Asthmapolis,  for  instance, 
uses  a  GPS-enabled  device 
that  attaches  to  an  inhaler  and 
records  the  time  and  location 
when  asthma  patients  use  their 
inhalers.  This  data  is  automati¬ 
cally  transmitted  to  the  patient’s 
doctor,  while  aggregate  data  is 
available  to  asthma  research¬ 
ers  and  public  health  agencies. 
tinyurl.com/34vw48o 

Wall  Street  bullish 
on  tech  skills 

ONLINE  JOB  board  eFinancial- 
Careers  says  the  number  of  IT 
jobs  posted  by  financial  services 
firms  was  up  24%  in  July 
compared  to  last  year.  Manag¬ 
ing  director  Constance  Melrose 
says  financial  services  firms  are 
looking  for  strong  programming, 
database  and  operating  system 
skills.  Experience  using  technol¬ 
ogy  to  evaluate  portfolio  risk, 
trading  risk  and  credit  risk  is 
also  a  priority,  Melrose  says.  To 
which  we  add,  thank  goodness. 
tinyurl.com/35u6fvg 


TRUE  FACT 

How  important  are  mobile  devices  to  your  organi 
zation’s  business  processes  and  productivity? 


Critical 


Important 


Somewhat  important 


NOTE:  REMAINING  3%  SAID  IT  WAS  NOT  IMPORTANT  OR  DIDN'T  KNOW.  SOURCE:  ESG  RESEAR 
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for  ITSELF  inks. 


LaserJet  mfp 


After  that , 
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it  PAYS  YOUR  BUSINESS. 


HP  Color  LaserJet  CM353  MFP 


When  was  the  last  time  you  bought  something 
for  your  business  that  actually  paid  for  itself? 
Consolidate  your  existing  printing  devices  into 
one  legendary  Colo  s  HP  :■  and  save 

-on  energy,  paper,  toner,  even  IT  time -while 
bringing  professional  print  jobs  in  house.  Invest 
in  HP  LaserJet.  It  pays  you  back.*  Find  out  how 
at  wwv/.hp.com/go/paysback 


H  I  T  P  R  I  N  T  inf! 

INTELLIGENTLY  \K  g MJ , 

1  20 1 0  Hewlett-Packard  Development  Company,  L.P.  "Savings,  based  on  printing  50  copies  of  a  brochure  fdouble-sided  and  on  special  glossy  media).  1 2  times  per  month  on  the  HP  Color  Lait  >  I.  t 
MFP  compared  to  average  retail  copy  shop  pricing.  Additional  savings  from  Instant-on  Technology,  two-sided  printing  and  HP  Smart  Web  Printing.  Actual  results  may  vary.  Source  of  copy  shop  pijr 
lirfohends  Cost  of  Print  Studies,  March  2009.  Go  to  wWw.hp.com/go/printcosts  for  more  details.  1 


TREND  ANALYSIS 


Smartphone  wave  challenges  enterprise  security 


BYELLEN  MESSMER 

WITH  EVER  more  employees  clamoring  to 
use  smartphones  for  both  personal  and  busi¬ 
ness  purposes,  IT  and  security  managers  are 
forced  to  answer  tough  questions: 

First,  will  there  be  sanctioned  enterprise 
adoption  of  Apple’s  iPhone  —  not  to  the  men¬ 
tion  the  iPad  —  as  well  as  smartphones  based 
on  Google’s  Android  operating  system,  if  not 
even  more  varieties? 

And,  if  employees  want  to  use  their  own 
smartphone  or  iPad  in  business,  will  that  be 
allowed? 

Finally,  how  will  the  enterprise  prepare  to 
exert  management  and  security  controls  in 
a  multi-operating  system  smartphone  envi¬ 
ronment,  or  figure  out  how  to  secure  data  on 
a  device  that  the  employee,  not  the  enterprise, 
officially  owns? 

“It’s  coming,”  says  Terrell  Herzig,  data 
security  officer  at  UAB  Health  System,  the 
hospital  and  medical  research  organization 
in  Birmingham,  Ala.  “The  iPhones,  the  iPads, 
the  Droid.” 

Herzig  says  medical  professionals  and 
staff  just  bring  in  the  devices  and  expect  to 
get  onto  clinical  systems.  They  call  the  help 
desk,  which  reacts  with  bewilderment  before 
calling  the  security  team. 

And  the  demand  is  so  mighty,  UAB’s  CIO 
has  set  up  a  special  task  force  to  figure  out 
whether  UAB,  which  already  makes  official 
use  of  the  BlackBerry,  should  become  a  multi¬ 
smartphone  environment,  or  approve  use  of 
personal  devices. 

“We’re  telling  them  hold  off  on  buying 
these  devices  while  we  figure  it  out,”  he  says. 

Just  last  week,  UAB  completed  its  security 
and  configuration  measures  for  the  iPad, 
which  will  now  be  used  with  Good  Technol¬ 
ogy’s  management  and  security  application. 

“The  new  generation  of  devices  have  the 
capability  to  do  the  things  we  want  them  to 
do,”  Herzig  says.  “A  lot  of  people  will  want  to 
remote  desktop  from  the  Droid.” 

The  prospect  of  supporting  management 
and  security  in  a  multi-operating  system 
smartphone  environment,  or  letting  the 
employee  use  his  own  device,  is  now  hotly 
debated  among  consultants  and  analysts. 

“Most  of  the  security  can’t  scale  to  the  num¬ 
ber  of  devices  the  users  will  bring,”  says  Kalani 
Silva,  director  of  business  transformation 
enablement  at  Presidio  Network  Solutions  in 
Greenbelt,  Md.  Silva  believes  trying  to  support 
multiple  smartphone  types  in  the  enterprise 
will  put  demands  on  IT  and  security  —  and 
add  costs  —  that  just  aren’t  worth  it. 


The  BlackBerry  can  be  reasonably  con¬ 
trolled,  Silva  says,  but  that’s  not  the  case 
today  with  iPhone  and  the  Android  mobile 
devices.  And  allowing  what’s  brought  in  as  a 
consumer  personal  device  to  be  used  in  busi¬ 
ness  suggests  there  should  be  some  way  to 
securely  partition  it. 

Other  analysts  acknowledge  there  are  risks 
but  it  should  be  considered. 


Items  missing  for  corporate  use 

Distribution  of  configuration  files 

Mature  enterprise  device 
management  tools 

Support  for  smart  card 
authentication 

Compliance  with 
,  FIPS  140-2 

Support  for  client 
e-mail  end-to-end 
encryption 

Logging  of  SMS 

Fine-grained 
application  control 

SOURCE: FORRESTER 


“It’s  a  devil’s  bargain,”  says  Andrew  Borg, 
analyst  at  the  Aberdeen  consultancy.  RIM’s 
BlackBerry  has  long  been  the  smartphone 
staple  in  the  enterprise,  and  is  marketed  for 
that  purpose.  But  the  pressure  is  huge  to  allow 
in  the  stampede  of  ever-smarter  smartphones 
that  are  mainly  marketed  for  consumers. 

Aberdeen  suggests  limiting  the  number  of 
smartphones  tested,  perhaps  to  just  iPhone  or 
Android,  such  as  the  Motorola  version.  The 
main  consideration  is  the  mobile  device  man¬ 
agement  software  and  whether  it  extends  into 
the  type  of  management  and  security  controls 
that  are  warranted,  such  as  the  functions  of 
device  lock  and  device  wipe,  encryption  and 
being  able  to  lock  down  access  remotely. 

Good  Technology,  Zenprise,  Trust  Digital 
(recently  acquired  by  McAfee),  Mobilelron, 
Tangoe  and  BoxTone  are  possibilities  in 
what’s  called  enterprise  mobility  manage¬ 
ment  for  multi-OS  smartphone  management 
and  security,  Aberdeen  reports. 


As  to  whether  the  employee-owned  smart¬ 
phone  should  be  welcomed  into  official  enter¬ 
prise  use  is  something  each  enterprise  has  to 
determine  based  on  risk  factors,  cost  advan¬ 
tages  and  whether  access  to  the  device  can 
be  adequately  controlled.  But  according  to 
Aberdeen,  the  phenomenon  is  spreading. 

“Heterogeneity  is  real  and  enterprises  are 
saying,  ‘I  have  to  learn  to  deal  with  it,”’  says 
David  Goldschlag,  McAfee  vice  president  of 
mobile  technologies  and  former  president 
and  CTO  at  Trust  Digital.  Goldschlag  says 
Trust  Digital’s  own  research  on  what  large 
corporations  are  doing  suggests  about  a  third 
want  to  “enable  users’  personal  smartphones 
for  business.” 

Gartner  analyst  John  Pescatore  says  the 
IT  department’s  response  to  the  smartphone 
wave  should  be  nuanced  based  on  risk  and 
regulatory-compliance  factors.  ” 

Pescatore  says  that  enterprises  need  to 
“set  a  minimal  bar”  in  terms  of  management 
and  security.  There  should  be  enforceable 
mandatory  start-up  password,  enforced  time 
out,  enforceable  encryption  and  an  over- 
the-air  kill  capability  at  a  minimum  for  any 
smartphone.  Active  synch  support  is  also 
preferred. 

The  key  is  building  those  controls  around 
mobility  management  agent  software,  but 
not  supporting  multiple  vendor  packages 
to  do  that.  While  these  applications  and  the 
iPhone  and  particularly  the  Android  cannot 
today  support  every  desired  security  func¬ 
tion,  it’s  safe  to  think  they  will  in  the  foresee¬ 
able  future,  Pescatore  says. 

Pescatore  adds  that  security  functions  such 
as  browser-based  filtering  and  whitelisting 
will  eventually  come  for  smartphones,  and 
carrier-based  cloud  security  services  are 
likely  to  present  more  options  for  security 
services.  In  fact,  Pescatore  says  the  traditional 
methods  of  loading  up  PCs  and  laptops  with 
security  software  simply  “hasn’t  worked”  to 
really  ward  off  trouble  such  as  botnets. 

Forrester  Research  just  published  a  report 
“Apple’s  iPhone  and  iPad:  Secure  Enough  for 
Business?”  in  which  analyst  Andrew  Jacquith 
ardently  argues,  “’No’  is  no  longer  the  auto¬ 
matic  answer.” 

Although  the  Forrester  report  calls  Black¬ 
Berry  “the  gold  standard  for  secure  mobile 
devices,”  Jacquith  indicates  the  time  has 
arrived  to  let  Apple’s  iPhone  and  iPad, 
including  employee-owned  ones,  into  the 
enterprise  for  official  use  under  certain 
restrictions.  Desired  controls  include  auto¬ 
lock,  autowipe,  remote  wipe,  e-mail  session 
encryption  and  more.  ■ 
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Learn  how  to  reduce  cooling 
expenses  with  our  FREE 
Cooling  Efficiency  kit! 


www.apc.com/promo 

888-289-APCC  x  6197 
FAX:  401-788-2797 
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Title: 
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~1  Yes!  Send  me  more  information  via  e-mail  and  sign  me  up  for  the  Uptime™  e-mail  newsletter.  Key  Code:  u369w 


What  type  of  availability  solution  do  you  need?  □  UPS:  0-1 6kVA  (Single-phase)  nUPS:  1 0-80M/A  (3-phase  AC) 

□  UPS:  80+  kVA  (3-phase  AC)  □  DC  Power  □  Networking  Enclosures  and  Racks  □  Air  Conditioning 

□  Monitoring  and  Management  □Cables/Wires  □  Line  Conditioning  □  Mobile  Protection  □  Surge  Protection 

□  UPS  Upgrade  □  Don't  Know 

Purchase  time  frame?  □  <1  Month  □  1-3  Months  □  3-12  Months  □  >1  Year  □  Don't  Know 

You  are  (check  one)  □  Home/Home  Office  □  Business  (<1000  employees)  □  Large  Corp.  (>1 000  employees) 

□  Gov't,  Education,  Public  Org.  □  APC  Sellers  and  Partners 
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III . Iilliilililiiiililliliililiiiililllii.liliil 


Is  your  server  room  a  barrier  to  adopting  new  technologies? 


Consolidation,  virtualization,  network  convergence,  blade  servers— these  new  tech¬ 
nologies  improve  efficiency,  cut  costs,  and  allow  you  to  “do  more  with  less.”  But 
they  also  bring  high-density  power,  cooling,  and  management  challenges  that  server 


your  server  room 
without  overhauling  it. 

APC  integrated  cooling  future-proofs  your 
IT  room  without  breaking  the  bank. 


rooms  were  never  designed  to  handle.  You’re  relying  on  guesswork,  depending  on 
building  air  conditioning,  or  improvising  remedies.  So,  how  can  you  increase  the  level 
of  reliability  and  control  in  your  server  room  without  spending  a  fortune? 

Introducing  the  APC  by  Schneider  Electric  total  server  room  solution 

Now  you  can  get  power,  cooling,  monitoring,  and  management  components 
that  easily  deploy  together  as  a  complete,  integrated  solution.  Everything  has 
been  pre-engineered  to  work  together  and  integrate  seamlessly  with  your  existing 
equipment.  Just  slide  this  proven,  plug-and-play  solution  into  most  existing  spac¬ 
es— there’s  no  need  for  confusing  cooling  configurations  or  expensive  mechanical 
re-engineering.  The  modular,  “pay  as  you  grow”  design  lets  you  be  1 00  percent 
confident  that  your  server  room  will  keep  pace  with  ever-changing  demands. 

Future-proof  your  server  room  easily,  cost-effectively 


The  integrated, 
cooled,  managed 
server  room 

©Cooling  Effective  and 
energy-efficient  InRow 
cooling  units  handle 
high-density  heat  at  its 
source.  Unique  variable- 
speed  fans  automatically 
adjust  to  meet  changing 
heat  loads. 

0  Power  Energy-efficient,  ultra-reliable  Smart-UPS  and 
Symmetra  UPSs  offer  scalable  runtime.  Rack-mount 
power  distribution  units  (PDU)  ensure  that  a  wide  variety 
of  devices  gets  plugged  in  and  powered. 


APC  takes  the  hassle  out  of  configuring  server  rooms.  Self-contained  InRow  cool¬ 
ing  units,  high-density  NetShelter  enclosures,  and  the  APC  rack  air  containment 
system  combine  to  create  a  proper  IT  ecosystem  in  almost  any  surrounding.  Rack- 
level  monitoring  sensors,  intelligent  controls  built  into  the  cooling  unit,  and  inte¬ 
grated  management  software  provide  complete  remote  control  and  unprecedented 
visibility  into  the  entire  system.  Simply  add  power  protection  (like  undisputed  best- 
in-class  Smart-UPS  or  Symmetra  units)  and  you  have  a  total  solution  for  today, 
tomorrow,  and  beyond. 


©  Environmental  Monitoring  &  Management 
PoE-enabled  temperature  sensors  let  you  keep  an  eye 
on  conditions  at  the  rack  level.  Metered  PDUs  report 
on  aggregate  power  draw  and  tell  you  which  racks 
have  available  capacity.  Centralized  software  gives  you 
real-time,  data-driven  insight  into  the  entire  system  from 
anywhere  on  the  network. 

o  Enclosures  Vendor-neutral  NetShelter  SX  rack 
design  handles  high-density  airflow  and  power  needs. 


Learn  how  to  reduce  cooling  expenses 
with  our  FREE  Cooling  Efficiency  Kit. 


Visit  www.apc.com/promo  Key  Code  u369w  •  Call  888-289-APCC  x6197  •  Fax  401-788-2797 
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SPECIAL  FOCUS 


►  Switching,  from  page  1 

and  topology  reconvergence.  For  routing,  the 
IETF  is  investigating  the  Locator/ID  Sepa¬ 
ration  Protocol  (LISP),  which  is  designed  to 
improve  addressing  and  load  balancing  for 
enterprises  working  with  multiple  ISPs. 

While  these  may  seem  like  solutions  to  long 
overdue  networking  problems,  they  may  also 
be  redundant  with  capabilities  already  or 
soon  to  be  on  the  market.  In  the  case  of  TRILL, 
Ethernet  switch  market  leader  Cisco  will  soon 
be  shipping  FabricPath  for  its  Nexus  7000 
switch  that  accomplishes  the  same  tasks 
TRILL  is  intended  to  address  while  provid¬ 
ing  more  capabilities. 

And  the  IETF  acknowledges  there  are 
other  techniques  available  today  that  accom¬ 
plish  some  of  the  same  goals  as  LISP.  Rival 
Juniper  concurs,  enough  so  that  it  is  holding 
off  on  pledging  support  for  LISP  —  as  well  as 
TRILL. 

“We’ve  already  been  doing  this  for  the 
last  two  and  a  half  years,”  says  Dhritiman 
Dasqupta,  senior  product  marketing  man¬ 
ager  for  Data  Center  Technologies  at  Juniper. 
“What  else  does  TRILL  bring  to  the  table? 
Honestly,  we  can’t  find  much.” 

TRILL  -  IETF  RFC  5556  -  was  authored 
by  Joe  Touch,  research  associate  professor  at 
the  University  of  Southern  California’s  Infor¬ 
mation  Sciences  Institute,  and  Radia  Perl¬ 
man,  a  software  engineer  at  Intel  who  also 
created  Spanning  Tree.  TRILL  is  intended  to 
be  a  Layer  2  protocol  with  link  state  routing 
enhancements  to  enable  shortest  path  mul¬ 
tihop  routing  so  users  can  build  large-scale 
Ethernet  and  Fibre  Channel-over-Ethernet 
data  center  networks. 

Link  state  routing  allows  the  Ethernet  net¬ 
work  to  discover  and  calculate  shortest  paths 
between  TRILL  nodes  called  Routing  Bridges, 
or  RBridges.  TRILL  is  designed  to  overcome 
the  slow  topology  reconvergence  times  asso¬ 
ciated  with  Spanning  Tree,  which  limits  scale 
and  is  more  susceptible  to  link  failures,  but 
also  backward  compatible  with  existing  Span¬ 
ning  Tree  implementations. 

Donald  Eastlake,  a  principal  engineer  at 
Cisco  and  co-chair  of  the  TRILL  working 
group  within  the  IETF,  says  the  final  TRILL 
RFC  document  will  be  published  once  a  com¬ 
panion  document  that  specifies  IS-IS  code 
points  and  data  structures  is  agreed  upon. 
He  expects  that  sometime  “fairly  soon,"  while 
analysts  expect  products  to  populate  the  mar¬ 
ket  in  the  first  half  of  2011. 

In  the  meantime,  vendors  are  implementing 
and  testing  preliminary  versions  of  TRILL. 
The  University  of  New  Hampshire  Interop¬ 
erability  Laboratory  hosted  a  TRILL  Plug- 
fest  last  week;  announced  participants  were 
components  suppliers  Broadcom  and  JDS 


Uniphase,  and  database  giant  Oracle,  accord¬ 
ing  to  the  UNH-IOL  Web  site. 

Eastlake  concurs  that  TRILL  is  essentially 
Layer  2  routing. 

“It’s  pretty  much  Layer  2.5,”  Eastlake  says. 

Don’t  be  surprised  if  that  TRILL  RFC  is 
missing  from  Juniper’s  data  sheets  on  its 
EX  or  upcoming  Project  Stratus  data  center 
switches,  however.  Juniper  claims  its  Virtual 
Chassis  technology,  which  interconnects  10 
Juniper  fixed-configuration  switches  into  a 
single  “switch”  supporting  hundreds  of  Giga¬ 
bit  Ethernet  ports,  accomplishes  the  same 
goals  as  TRILL  —  chiefly,  to  collapse  layers  of 
switching  in  a  data  center  network  and  facili¬ 
tate  more  “east-west”  communication  between 
servers  than  “north-south.” 


“What  we  are  doing  today  is  way  beyond 
what  TRILL  is  doing,”  Dasqupta  says.  “It’s  try¬ 
ing  to  focus  on  just  one  problem  in  isolation, 
which  is  Layer  2  multipathing.  There’s  multiple 
other  things  happening  in  the  data  center.” 

Some  of  those  other  things  are  lossless 
transmission  and  LAN/SAN  convergence, 
requirements  being  addressed  by  other  stan¬ 
dards  activities  —  the  IEEE’s  Data  Center 
Bridging/Converged  Enhanced  Ethernet 
work,  and  ANSI  Til’s  Fibre  Channel-over- 
Ethernet  specification  among  them. 

TRILL  lacks  a  holistic  data  center  vision, 
Dasqupta  says,  in  that  it  limits  a  data  center 
fabric  to  Layer  2  —  interdomain  communica¬ 
tion  has  to  go  through  a  Layer  3  port,  such  as 
that  on  a  router,  which  add  cost,  latency  and  a 
bottleneck  in  the  network. 

With  Virtual  Chassis  and  Stratus  “you  don’t 
need  to  step  outside  the  fabric  and  then  come 
back  in,”  Dasqupta  says. 

The  only  advantage  to  TRILL  then  is  for 
interoperability,  Dasqupta  says.  Juniper’s 
Virtual  Chassis  and  Stratus  fabrics  will  not 
be  interoperable  with  Cisco’s  FabricPath  and 
Brocade’s  VCS,  so  TRILL  will  be  the  least  com¬ 
mon  denominator  for  fabric  interoperability 
between  those  approaches. 

Another  issue  complicating  TRILL’s  poten¬ 
tial  is  an  alternative  standard  being  developed 
by  the  IEEE.  The  802.1AQ  Shortest  Path  Bridg¬ 
ing  specification  is  an  extension  to  the  Multiple 
Spanning  Tree  Protocol  that  also  uses  a  link 
state  routing  protocol  to  allow  switches  to  learn 


the  shortest  paths  through  an  Ethernet  fabric 
and  dynamically  adjust  to  topology  changes. 

Eastlake  calls  Shortest  Path  Bridging  a 
“competitor”  to  TRILL. 

“Currently,  Shortest  Path  Bridging  is  lim¬ 
ited  to  a  maximum  of  16-way  multipathing,” 
Eastlake  says.  “TRILL  has  no  limits  —  people 
are  talking  about  100-way  multipathing.” 

Yet  another  possible  obstacle  to  TRILL’s 
potential  is  Cisco’s  FabricPath.  Cisco  describes 
FabricPath  as  a  “pre-standard  superset”  of 
TRILL  that  includes  TRILL  but  extends  its 
capabilities,  particularly  in  media  access 
control  address  learning  and  topology  com¬ 
putation.  But  with  Cisco’s  dominance  in  Eth¬ 
ernet  switching  and  FabricPath’s  market  lead 
time  over  a  final  TRILL  standard,  the  case  for 


TRILL  could  be  marginalized. 

“Initially,  customers  will  gravitate  toward 
FabricPath,”  says  Zeus  Kerravala,  an  analyst 
at  The  Yankee  Group.  “They  have  such  large 
share  that  you  almost  put  yourself  at  a  com¬ 
petitive  disadvantage  by  not  supporting  it.” 

Eastlake,  however,  doesn’t  see  FabricPath 
as  a  threat  to  TRILL. 

“There  has  been  Cisco  involvement  [in 
TRILL]  pretty  much  all  along,”  he  says.  “The 
fact  that  Cisco  is  endorsing  this  whole  con- 
cept...is  generally  a  boost  for  the  technology. 
It  makes  it  a  mainline  technology.” 

Ritesh  Mukherjee,  a  Cisco  product  man¬ 
ager,  says;  “Customers  can  use  FabricPath  and 
only  have  the  TRILL  capability  [active].  That 
would  be  fine.  I  don’t  think  it  will  be  a  step 
down,  but  you  aren’t  using  all  of  the  capabili¬ 
ties  provided  by  FabricPath.” 

Mukherjee  is  the  product  manager  for  LISP 
at  Cisco.  Cisco  authored  the  original  LISP 
IETF  document  last  year  and  the  IETF  formed 
a  working  group  on  it  shortly  thereafter. 

LISP  was  initially  designed  to  help  scale 
the  Internet  by  reducing  the  number  of  rout¬ 
ing  table  entries  in  core  routers  operated  by 
ISPs.  LISP  would  logically  separate  a  block 
of  IP  addresses  that  a  company  advertises 
out  to  the  global  Internet  into  two  functions: 
one  for  identifying  the  systems  using  the  IP 
addresses,  and  the  other  for  locating  where 
these  systems  connect  to  the  Internet. 

This  separation  allows  LISP  to  aggregate 
the  location  information,  so  less  of  it  needs 


//  There  has  been  Cisco  involvement  [in 
II  TRILL]  pretty  much  all  along.  The  fact 
that  Cisco  is  endorsing  this  whole  concept 
...  is  generally  a  boost  for  the  technology. 

It  makes  it  a  mainline  technology. 

DONALD  EASTLAKE,  A  PRINCIPAL  ENGINEER  AT  CISCO  AND  CO-CHAIR 
OF  THE  TRILL  WORKING  GROUP  WITH  THE  IETF 
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Monitoring  Your  lOGbps 
Data  Center  More  Efficiently 

Gigamon  makes  innovative  shift  in  built-in  network 
monitoring 


Gigamon  CTO  Patrick  Leong  was  part  of  the 
engineering  team  that  invented  technology 
he  says  will  revolutionize  network  traffic 
monitoring  in  today’s  high-speed,  distributed, 
lights-out  data  center.  Read  on  to  find  out  why. 

With  the  increasing  number  of  lOGbps  con¬ 
nections  within  the  data  center,  how  is  the 
ability  to  monitor,  record  or  analyze  critical 
data  affected? 

In  the  past,  monitoring  solutions  connected 
directly  to  network  segments.  Today,  a  lot  of 
companies  cannot  connect  directly  because 
their  tools  cannot  handle  the  full  lOGbps  load. 

Gigamon’s  data  access  switch— GigaVUE— 
takes  lOGbps  traffic  at  line  rate,  and  intelli¬ 
gently  distributes  the  traffic  out  to  lOGbps  and 
lGbps  tools  based  on  user-defined  criteria. 
Each  lGbps  tool  gets  a  more  focused  scope  of 
the  lOGbps  traffic,  and  significantly  reduces 
the  chance  of  dropping  packets  due  to  band¬ 
width  over-subscription. 

The  faster  a  network,  the  more  difficult  it  is  to 
accurately  time-stamp  a  packet  so  that  it  cor¬ 
rectly  reflects  the  application  response  time. 
GigaVUE’s  GPS-based  time  stamp  engine  pro¬ 
vides  nanosecond-resolution,  synchronized 
time  stamps  on  packets  collected  over  a  wide 
geographic  area,  and  is  a  great  tool  for  latency 
measurements. 

What  type  of  investment  is  required  to 
build  a  centralized  data  center  monitoring 
infrastructure,  and  what  is  the  ROl? 

The  investment  for  building  a  centralized  data 
monitoring  infrastructure  is  relatively  small 
compared  to  populating  a  lot  of  tools  over  the 
network.  This  is  because  the  GigaVUE  can 
aggregate  traffic  from  multiple  network  seg¬ 
ments  to  the  same  tool.  Also,  the  GigaVUE  can 
multicast  the  same  traffic  to  multiple  tools, 
providing  24x7  network  visibility  to  multiple 
teams.  This  speeds  up  the  overall  response 
time  to  any  network  or  security  issue. 


What  is  needed  to  securely  access  and  gain 
complete  visibility  of  your  data? 

The  old  practice  of  locking  up  your  physi¬ 
cal  tap  is  not  secure  enough.  All  it  takes  is 
a  break-in  to  reconnect  your  tap  cable  to 
somewhere  else,  and  your  traffic  will  be 
compromised.  With  GigaVUE,  any  change  in 
link  status  or  connection  configuration  will 
generate  logs  and  SNMP  traps.  The  three-tier 
user  level  system,  together  with  syslog  and 
integration  to  TACACS+  and  RADIUS  serv¬ 
ers,  allows  much  finer  user  access  control. 
The  GigaVUE  can  even  mask  out  sensitive 
fields  in  the  packets  so  that  the  IT  personnel 
cannot  see  more  than  they  need  to  see. 

What  are  some  of  the  productivity  gains/ 
tradeoffs  for  data  center  staff? 

24x7  secured  network  visibility  for  multiple 
teams  is  the  biggest  gain.  In  the  old  days,  IT 
and  Security  teams  could  be  fighting  for  the 
same  span  port  access  to  a  switch  or  router. 
The  fact  that  we  no  longer  have  to  deploy  tools 
all  over  the  place  reduces  the  capital  expenses, 
and  saves  up  a  lot  of  valuable  rack  space.  Some 
of  the  more  advanced  GigaVUE  features,  such 
as  GPS-based  time  stamping,  ingress  port  la¬ 
beling  of  packets,  slicing  or  masking  will  boost 
the  performance  of  your  tools. 

The  GigaVUE  is  a  paradigm  shift  in  network 
monitoring.  As  with  any  paradigm  shift,  some 
change  in  your  network  deployment  configura¬ 
tion  is  needed.  But  the  simple  concept  of  con¬ 
necting  traffic  from  a  network  port  to  a  tool  port 
makes  it  very  easy  to  understand  and  visualize. 

What  kinds  of  IT  skills  and  training  will  be 
required  in  this  new  model? 

We  designed  GigaVUE  with  a  command  line 
interface  that  is  user-friendly,  and  a  GUI  that 
runs  on  a  standard  Web  browser.  Anyone 
who  can  control  Cisco  switches  and  routers 
will  be  able  to  pick  up  the  CLI  in  no  time.  The 
GUI  allows  you  to  control  the  box  in  an  easy 
graphical  manner,  with  no  learning  curve. 
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BlackBerry  Torch  could 
sink  or  swim  on  OS  6 

Revamped  operating  system  key  to  RIM’s  future 


BYBRADREED 


FROM  A  tech  specs  perspective.  Research  in 
Motion’s  new  BlackBerry  Torch  smartphone 
isn’t  groundbreaking.  Rather,  its  success 
or  failure  will  hinge  upon  the  strength  of  its 
revamped  operating  system. 

RIM’s  newest  device  doesn’t  have  a  gigantic 
high-definition  screen  like  the  Motorola  Droid 
X,  it  doesn’t  have  4G  connectivity  like  the 
HTC  Evo  4G  or  even  a  1GHz  processor  like  the 
iPhone  4.  Instead,  it  has  a  fully  retooled  operat¬ 
ing  system  and  Web  browser  that  is  designed  to 
make  BlackBerry  devices  appeal  more  broadly 
to  consumers  and  to  help  RIM  keep  up  with  the 
iPhone  and  Android-based  devices. 

The  BlackBerry  OS  6,  which  debuted  last 
week  along  with  the  BlackBerry  Torch  smart¬ 
phone,  has  been  in  the  works  for  quite  some 
time  and  is  the  culmination  of  RIM’s  efforts  to 
redo  its  operating  system  and  Web  browsing 
experience.  The  company  first  tipped  its  hand 
that  it  was  looking  to  remake  its  Web  browser 
when  it  purchased  open  source  Web  browser 
developer  Torch  Mobile,  whose  flagship  Iris 
Browser  is  based  on  the  open  source  Webkit 
browser  engine  and  is  specifically  designed 
for  mobile  phones,  set-top  boxes  and  ultra- 
mobile  PCs. 

So  now  that  we’ve  taken  our  first  official  look 
at  BlackBerry  OS  6,  what  are  its  key  features? 
Among  other  things,  the  new  Webkit-based 
browser  will  offer  auto-wrap  text  zoom  on  the 
device’s  touchscreen.  In  other  words,  every 
time  you  zoom  in  or  out  on  a  Web  page  on  the 
BlackBerry  Torch,  the  browser  will  automati¬ 
cally  wrap  the  text  to  fit  within  the  screen  size. 
This  was  a  feature  that  was  sorely  missing  in 
the  BlackBerry  Storm,  which  didn’t  even  have 
a  touch-zoom  capability. 

The  operating  system  will  also  work  with 
social  networking  and  messaging  tools,  such 
as  Facebook,  BlackBerry  and  AOL  messen¬ 
gers,  Twitter  and  Google  Talk,  so  that  users 
can  access  the  latest  messages  from  all  of  their 
social  networking  sites  right  from  their  home 
screens.  Looking  for  content  on  BlackBerry  OS 
6  devices  will  be  easier  as  well,  as  the  operating 
system  now  has  a  Universal  Search  application 
that  will  let  users  search  the  entire  device  for 
contacts,  pictures  and  so  forth. 

RIM  is  also  trying  to  simplify  the  home 
screen  on  its  devices  by  giving  users  several 
sidebars  they  can  choose  from  that  can  limit 
the  number  of  icons  to  appear  on  the  main 


screen.  Using  the  “frequent”  sidebar,  for 
instance,  will  result  in  only  seeing  the 
most  frequently  used  applications  on 
the  home  screen.  The  “favorites”  sidebar, 
meanwhile,  lets  users  pick  and  choose 
which  applications  they  want  to  appear 
as  icons  on  the  home  screen.  Users  can  still 
access  every  app  they  want  as  well  by  choos¬ 
ing  to  use  the  “all”  sidebar. 

Finally,  RIM  is  trying  to  encourage  more 
application  development  for  its  devices 
by  allowing  app  development  based  on  the 
HTML  5  standard  that  lets  companies  build 
graphics,  typography,  animations  and  transi¬ 
tions  without  relying  on  third-party  browser 
plug-ins.  Apple’s  Steve  Jobs  has  advanced 
HTML  5  as  a  mobile  alternative  to  Adobe’s 
Flash  platform,  which  Apple  currently  bars 
from  its  iPhone  devices. 

Even  if  the  BlackBerry  OS  6  is  a  resounding 
success,  however,  it’s  not  clear  that  the  Black¬ 
Berry  Torch  will  help  the  company  catch  up 
to  the  prime  offerings  from  rivals  Apple, 
HTC  or  Motorola,  at  least  from  a  consumer 
perspective.  While  BlackBerry  devices  still 
offer  by  far  the  most  enterprise  security  fea¬ 
tures  of  any  smartphone,  it  looks  as  though 
the  Torch  is  already  a  step  behind  its  rivals 


with  a  slower  processor  that  clocks  in  at 
624MHz  and  a  screen  that  has  a  resolution 
of  480x360  pixels,  which  is  relatively  low 
compared  to  other  big-name  devices.  It  may 
be  true  that  the  BlackBerry  Torch  is  “the  best 
BlackBerry  ever,”  as  AT&T  Mobility  CEO 
Ralph  de  la  Vega  put  it  Tuesday,  but  that  still 
might  not  be  enough.  ■ 


►  Switching,  from  page  12 

to  be  stored  in  the  core  routers.  LISP  pro¬ 
ponents  also  say  the  technique  would  make 
it  easier  for  companies  to  switch  carriers 
without  having  to  acquire  new  IP  addresses 
because  the  identification  function  would 
remain  constant  even  if  the  location  infor¬ 
mation  changes. 

It  is  beneficial  for  enterprises  deploying 
multihoming  -  using  multiple  ISPs  for 
Internet  access  service  -  and  can  also  be 
used  to  balance  traffic  loads  destined  for 
multihomed  enterprises  as  well  as  other 
traffic  engineering  applications. 

LISP  would  operate  in  conjunction  with 
the  Border  Gateway  Protocol  and  any  other 
routing  protocol,  and  with  both  IPv4  and 
IPv6,  Mukherjee  says. 

“We  look  at  LISP  as  a  new  routing  archi¬ 
tecture,  which  enables  enterprises  and  ser¬ 
vice  providers  to  simplify  multihomed  rout¬ 
ing,  provide  data  center  virtual  machine 
mobility  and  to  reduce  complexity," 


Mukherjee  says. 

Even  though  LISP  was  initially  authored 
by  Cisco,  it  is  not  facing  any  significant  resis¬ 
tance  from  Cisco  competitors,  Mukherjee 
says.  Indeed,  the  LISP  working  group  is 
populated  by  representatives  from  other 
vendors  and  is  co-chaired  by  Joel  Halpern, 
who  is  with  Ericsson. 

But  Juniper,  the  No.  2  vendor  to  Cisco  in 
routing,  says  LISP  reinvents  the  wheel. 

“It  is  a  single  vendor  authorship,”  says 
Mehdi  Sif,  director  of  technology  market¬ 
ing  in  Juniper’s  Infrastructure  Products 
Group.  “There  is  a  question  out  there  on 
whether  this  is  a  vendor-specific  solution 
to  a  vendor-specific  problem. 

“[There  are]  existing  standardized 
mechanisms  —  route  aggregation,  route 
summarization,  FIB/RIB  compression 
mechanisms  —  widely  deployed  today,  even 
for  legacy  platforms.  I  would  see  LISP  as  a 
subset  of  much  broader  conversations  that 
are  happening  across  the  board  -  and  which 
involve  all  of  the  vendors,  by  the  way.”  ■ 
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►  IBM ,  from  page  1 

As  it  accelerates  its  mobile  plans,  IBM 
expects  to  exploit  its  already  extensive 
interoperability  with  other  platforms  includ¬ 
ing  its  major  competitor  in  UC  —  Microsoft. 
Its  mobile  support  will  also  challenge  com¬ 
petitor  Avaya  and  its  mobile  clients.  As  busi¬ 
nesses  deploy  4G  handhelds,  IBM  will  fully 
support  collaboration  “on  the  mobile  device  of 
choice”  and  treat  the  collaboration  features  as 
an  always-available  set  of  tools,  Rennie  said. 

He  expects  customers  will  adopt  SameTime 
for  mobile  devices  via  its  cloud-based  collabo¬ 
ration  suite  LotusLive,  starting  with  a  core  of 
instant  messaging,  presence,  Web  meetings 
and  some  video.  That  will  grow  to  include 
voice  integration  with  corporate  directories 
as  well  as  full  video  services. 

Rennie  also  said  the  company  would 
respond  to  customer  demand  for  appliances 
that  can  be  used  to  more  easily  bring  collabora¬ 
tion  tools  into  their  networks,  much  the  same 
way  that  they  can  add  security  platforms  to 
their  networks  via  IBM  security  appliances. 

IBM  is  also  building  a  downloadable, 
browser-based  plug-in  so  anyone  can  join 
SameTime  conferences  even  if  their  machines 
lack  SameTime  clients.  Later  this  capability 
will  be  deployed  from  LotusLive  clouds  so,  for 
example,  a  bank  could  call  a  conference  to  talk 
to  high-value  customers  and  have  them  par¬ 
ticipate  with  relative  ease,  said  Rob  Ingram, 
IBM  senior  product  manager  for  UC.  The 
clients  are  already  available  for  Web  confer¬ 
encing  and  IM,  and  the  browser-based  client 
for  video  is  scheduled  for  the  first  quarter  of 
2011.  After  that  the  company  may  look  into  a 
mobile  browser-based  client  as  well,  he  said. 

The  company  is  working  with  videocon¬ 
ferencing  vendors  to  build  adapters  to  com¬ 
municate  with  IBM  video  infrastructure  so, 
for  example,  IBM  desktop  video  participants 
could  join  conferences  anchored  by  Polycom 
gear,  he  said.  The  user  case  they’re  working  on 
is  collaboration  with  business  partners  who 
might  not  have  IBM  videoconferencing  infra¬ 
structure,  Ingram  said.  The  list  of  those  par¬ 
ticipating  includes  Cisco  and  Polycom  but  not 
Cisco’s  Tandberg  gear  or  HP  conferencing. 

Even  as  he  looks  ahead  to  mobile  collabo¬ 
ration,  Rennie  noted  that  businesses  over 
the  past  18  months  have  altered  their  view 
of  UC,  which  blends  presence  and  various 
modalities  of  real-time  communication  —  IM, , 
phone  calls,  video  -  with  collaboration  tools 
integrated  with  calendaring  and  corporate 
directories,  and  non-real-time  communica¬ 
tion  such  as  texting  and  e-mail.  Elements  of 
IBM’s  UC  offerings  include  Notes/Domino 
for  messaging  and  calendaring;  Lotus  Con¬ 
nections  for  social  collaboration;  Lotus 
Quickr  for  team  collaboration;  SameTime  for 


IBM  is  big  in 
Massachusetts 


IBM  opened  its  largest 
North  American  software 
development  facility  in  June, 
in  Littleton,  Mass.,  that  comple¬ 
ments  a  site  in  nearby  Bedford. 
The  development  lab  consoli¬ 
dates  facilities  that  came  along 
with  acquisitions  IBM  has  made 
in  the  state  since  2002. 


Company 

Technology  acquired 

Rational 

DEC.  2002 

Development  software 

Ascential 

MARCH  2005 

Data  integration 
software  for  building 
data  warehouses 

DataPower 

OCT.  2005 

S0A  appliances 

iPhrase 

NOV.  2005 

Web  search 

Bowstreet 

DEC.  2005 

Portal  development 
software 

MRO 

JULY  2007 

Asset  and  service 
management  software 

Watchfire 

JULY 2007 

Web  application 
security  testing 

WebDialogs 

AUG.  2007 

Web  conferencing 

Cognos 

NOV.  2007 

Business  intelligence/ 

performance 

management 

AptSoft 

JAN.  2008 

Business  event 
processing  software 

Diligent 

APRIL  2008 

Deduplication  software 

FilesX 

APRIL  2008 

Storage  software 

Ounce  Labs 

JULY 2009 

Application 
security  testing 

Guardium 

NOV.  2009 

Database  monitoring 

Storwize 

JULY 2010 

Data  compression 

Unified  Telephony;  Lotus  Live  for  on-premise 
or  cloud  collaboration. 

Whereas  customers  may  have  regarded  UC 
as  a  package  of  tools  that  could  be  bought  and 
installed,  they  now  look  at  specific  business 
processes  from  a  desktop  perspective  rather 
than  as  a  back-end  resource,  Rennie  said.  UC 
might  have  been  deployed  before  for  a  siloed 
purpose  such  as  a  tool  for 
contact-center  agents, 
but  now  businesses  see  it 
with  wider  applications, 
he  said. 

CFOs,  for  instance,  can 
see  the  cost-saving  bene¬ 
fits  of  enabling  a  business- 
analytics  dashboard  that 
pushes  through  work  to 
the  next  stage  by  notifying  the  right  person 
to  handle  it  and  pulling  together  confer¬ 
ences  when  needed.  “We  call  it  collaboration- 
enabled  business  processes,”  he  said. 

Such  an  idea  is  in  contrast  to  just  promot¬ 
ing  attractive  UC  features.  That  is  the  way 
IBM  has  been  selling  UC  in  the  past,  and  that 
needed  to  change,  says  Don  Van  Doren,  a 
principal  with  Unicomm  Consulting. 

“The  quick-to-communicate  stuff  is  use¬ 
ful,  but  it  doesn’t  touch  the  central  concepts 
of  unified  communications  and  impact  how 
companies  can  function  differently.  You  need 
to  get  to  the  business  guys  and  say  there’s  a 
business-process  bottleneck  that  costs  them 
two  days  out  of  every  business  development 
cycle,”  he  says.  And  then  show  how  UC  can 
remove  the  bottleneck.  But  the  task  is  daunt¬ 
ing  because  that  means  pulling  in  top  execu¬ 
tives  and  line-of-business  managers  to  help 
make  the  technology  decisions  with  the  IT 
staff,  he  says. 

Even  with  that  challenge,  IBM  is  aligned 
to  do  well  in  battling  its  primary  competitor, 
Microsoft,  he  says.  Other  UC  vendors  such  as 
Cisco  and  Avaya  come  from  the  telephony  end 
of  communications,  and  he  feels  that  software 
vendors  with  control  of  desktop  software 
have  the  edge.  One  of  IBM’s  strengths  is  that 
it  already  has  desktop  productivity  software 
widely  deployed  in  corporate  networks.  And 
it  is  interoperable  with  Microsoft  platforms, 
he  says,  making  it  possible  to  use  products 
customers  have  already  bought.  Specifically, 
he  pointed  to  IBM’s  strategy  to  enable  putting 
IBM  SameTime  presence  inside  Microsoft’s 
Outlook  and  SharePoint. 

Van  Doren  ranks  IBM  far  ahead  in  social 
networking  software  for  business  with  Lotus 
Connections  tied  into  presence  and  with  its 
capabilities  for  mining  information  within 
the  corporate  network  to  enhance  finding  the 
right  people  for  specific  tasks.  “They’ve  been 
working  on  this  four  or  five  years,”  he  says. 
“Cisco  is  just  starting  to  do  it.”  ■ 
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NETINSIDER  BY  SCOTT  BRADNER  . . Itlllllllli 

The  price  of  free  Internet:  a  piece  of  your  soul 


YOUTHINKGoogle  knows  too  much  about 
you?  Internet  tracking  companies  know  far 
more. 

It  is  not  news  that  there  are  a  lot  of  companies,  and  maybe  a  few  govern¬ 
ments,  tracking  your  every  move  on  the  Internet.  But  most  people  have 
not  yet  internalized  just  how  pervasive  and  detailed  the  tracking  is. 

A  series  of  front-page  articles  in  the  Wall  Street  Journal  will  help  raise 
the  level  of  awareness  among  the  general  public  and,  more  importantly, 
among  policy  makers  in  Congress  and  the  federal  regulatory  agencies. 

Most  people  do  understand  that  the  Web  sites  you  visit  on  the 
Internet  can,  and  most  do,  use  cookies  to  keep  track  of  who  visits  and 
what  they  do  there.  What  is  not  so  well  known  is  that  many  sites  have 
arrangements  with  third-party  companies  that  let  them  also  put  cook¬ 
ies  on  your  computer. 

This  is  an  issue  because  the  third-party  companies  have  agreements 
with  lots  of  Web  sites,  and  there  are  lots  of  these  third-party  companies, 
so  they  can  track  you  between  Web  sites.  For  example,  if  you  visit  the 
Web  site  of  one  automaker  then  go  the  another  automaker’s  Web  site, 
a  third-party  company  can  see  what  you  did  on  both  sites  and  use  that 
information  to  understand  more  about  you.  The  third-party  companies 
then  sell  information  about  your  activities  to  advertising  companies  so 
that  you  will  see  ads  better  designed  to  get  you  to  buy  something. 

This  may  not  seem  like  a  big  deal,  but  note  that  some  of  these  third- 
party  companies  have  arrangements  with  thousands  of  Web  sites  and, 
thus,  can  find  out  a  lot  about  you. 

The  Journal  is  not  the  first  to  talk  about  the  issue.  For  example,  I  saw 
quite  a  good  presentation  by  AT&T  researcher  Balachander  Krishna- 
murthy  during  the  IETF  meeting  in  Anaheim. 


You  can  protect  yourself  from  some  tracking  by  setting  up  your 
browser  to  not  accept  third-party  cookies  and  to  erase  cookies  when 
you  exit  from  the  browser  —  both  are  easy  to  do  in  Firefox  and  Safari 
(the  Journal  reported  on  Aug.  2  that  Microsoft  killed  a  plan  by  its  engi¬ 
neers  to  block  the  tracking  by  default).  Microsoft  was  more  than  a  bit 
conflicted  since  it  just  bought  a  company  that  sells  ads. 

Even  if  you  set  your  browser  to  delete  cookies  you  may  not  be  safe 
since  a  number  of  companies  are  overriding  your  preferences  using 
Adobe  Flash  cookies.  This  behavior  is  now  the  subject  of  a  lawsuit. 

Very  few  of  us  pay  money  to  the  Web  sites  we  visit  on  the  Internet. 
To  us,  most  Web  sites  seem  free.  There  are  a  few  that  people  pay  for, 
but  to  date  most  experiments  wherein  a  Web  site  puts  up  a  “paywall” 
that  demands  money  before  you  can  enter  have  failed.  Operators  need 
to  have  some  reason  for  maintaining  their  Web  sites.  The  reason  can 
be  pride,  or  sales ,  customer  service  or  part  of  a  wider  mission.  But  in 
many  cases,  just  like  with  “free”  TV,  there  is  real  money  involved  — 
money  from  advertisers.  .Google  is  not  being  altruistic  in  not  charging 
you  to  use  its  search  engines. 

But  there  is  a  trade-off.  There  is  a  point  where  these  folks  know  just 
too  much  about  us  and  we  know  nothing  about  them.  I  understand  that 
someone  has  to  pay  for  my  “free”  use  of  the  Internet  but  I’d  rather  the 
price  not  be  such  an  intrusive  look  into  my  soul. 

Disclaimer:  Harvard  has  used  Google  Analytics,  one  of  these  third- 
party  companies,  but  I  know  of  no  university  opinion  on  selling  souls  in 
exchange  for  a  little  content,  so  the  above  lament  is  my  own.  ■ 

Bradner  is  Harvard  University’s  technology  security  officer.  He  can  be 
reached  at  sob@sobco.com. 
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Softer  data-leak  prevention 


DATA-LEAK  PREVENTION  is  growing  at 
10%  a  year,  a  bit  slower  than  anticipated  but 
still  pretty  fast  compared  to  other  security 
technologies.  In  this  year’s  research  we  see  DLP  use  or  active  evalua¬ 
tion  among  36%  of  research  participants.  The  primary  driver  is  com¬ 
pliance,  as  with  most  security  funding.  In  looking  at  DLP  deployment 
over  time  we  noticed  quite  a  few  companies  that  deployed  DLP  last 
year  pulled  back  on  their  deployments  because  of  a  backlash  from 
users  and  management. 

Many  companies  did  not  succeed  in  their  DLP  implementations 
because  they  saw  DLP  as  an  enforcement  tool  and  not  an  awareness 
tool.  When  DLP  is  implemented  as  an  enforcement  tool,  the  controls 
are  strict  and  run  the  risk  of  disrupting  business.  Here’s  why: 

Most  leaks  are  not  leaks  by  determined  adversaries.  Those  are  pretty 
much  impossible  to  stop  anyway  —  there  are  too  many  ways  to  leak 
information  if  one  is  determined.  Accidental  leaks  can  be  stopped,  but 
to  do  so  we  must  understand  why  they  occur  and  accept  that  some  of 
the  responsibility  lies  with  IT  itself. 

The  vast  majority  of  leaks,  at  least  according  to  what  we  see  in  the 
media  and  hear  from  our  research,  occur  accidentally.  Dig  a  little 
deeper  and  you  find  that  they  are  not  simply  the  result  of  negligence  or 
irresponsible  users.  In  many  cases,  leaks  occur  when  duly  authorized 
users  of  the  data,  in  the  process  of  fulfilling  a  legitimate  business  pro¬ 
cess,  choose  an  insecure  means  to  store  or  transmit  the  data.  They’re 
trying  to  do  their  job,  the  best  way  they  know  with  the  tools  they  have. 
An  accounting  manager  needs  to  send  the  latest  quarterly  numbers  to 


an  external  accounting  or  audit  firm.  He  doesn’t  have  encrypted  e-mail, 
encrypted  FTP  or  PGP.  So  he  sends  it  by  e-mail.  Crude  DLP  only  makes 
this  problem  worse:  you  stop  the  e-mail,  they  try  gmail;  you  stop  gmail, 
they  try  IM  or  facebook  or  whatever  else  they  know.  Whose  fault  is  it  if 
they  don’t  have  encrypted  e-mail  or  SFTP  or  some  better  way  of  doing 
this?  Not  the  user’s  fault  —  IT  is  to  blame. 

If  you  look  at  DLP  as  an  awareness  tool,  then  you  can  fix  these  bro¬ 
ken  processes.  Each  of  these  mistakes  contains  several  opportunities 
for  improvement.  You  can  train  the  user  about  why  certain  methods 
are  dangerous.  You  can  tell  them  about  better  methods.  Most  impor¬ 
tantly,  IT  becomes  aware  of  dangerous  practices  for  which  they  have 
not  provided  better  alternatives.  IT  professionals:  put  a  DLP  in  “soft” 
reporting  mode  for  a  few  months  and  you  will  find  out  that  you  don’t 
know  how  the  business  runs. 

Soft  DLP  is  DLP  focused  on  training  and  awareness  for  all  sides  (IT 
and  users).  It  allows  exceptions  (“if  you’re  sure  then  click  continue  to 
do  it  anyway”)  and  logs  the  results  so  that  improvements  can  be  made. 
It’s  incremental,  non-judgmental  and  business  friendly.  Eventually, 
you  can  tighten  controls.  You  might  discover  that  with  soft-DLP,  better 
alternatives  and  training  you  don’t  need  as  much  enforcement.  Turns 
out  DLP  is  not  a  tool  for  controlling  users,  but  a  tool  for  teaching  IT 
about  the  business.  That’s  what  makes  it  so  valuable.  ■ 

Antonopoulos  is  a  senior  vice  president  and  founding  partner  at 
Nemertes  Research,  an  independent  technology  research  firm.  He 
can  be  reached  at  andreas@nemertes.com. 
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TOOLS 

Building  a  better  netbook 

I  recently  received  for  review  a  Samsung 
NB30  netbook  computer.  Wikipedia  defines 
netbooks  as  a  “category  of  small,  lightweight, 
and  inexpensive  laptop  computers  suited  for 
general  computing  and  accessing  Web-based 
applications,”  which  is  to  say  they  don’t  have 
powerful  anything  and  they’re  cheap. 


Mark  Gibbs’  Gearhead 


The  NB30,  built  around  the  low-power 
1.66GHz  Intel  Atom  N450  system-on-a-chip 
(SoC)  with  integrated  memory  controller  and 
graphics  core  with  1GB  RAM,  costs  $379. 

The  device  comes  with  a  160GB  HDD  (and 
has  a  Free  Fall  Sensor  to  park  the  heads  to  pre¬ 
vent  disk  damage  if  the  computer  is  dropped), 
a  10-inch  LED  backlit  display,  802.11  b/g/n 
Wi-Fi,  10/100Mbps  Ethernet,  a  0.3Megapixel 
Webcam  (which  is  surprisingly  good),  and  a 
six-cell  lithium  ion  battery  that  provides  up  to 
6.5  hours  of  run  time.  So 
far,  not  bad. 

But  what  did  Samsung 
do?  It  decided  the  device 
should  ship  with  Win¬ 
dows  7  Starter  edition. 

This  is  like  taking  a  Ford 
Explorer  and  swapping 
out  its  4-liter  V6  for  an 
Edwardian  steam  engine. 

To  say  that  Windows  7 
sucks  the  life  out  of  the 
product  is  an  understate¬ 
ment.  And  heaven  forefend  that  you  should 
want  to  actually  connect  to  wireless  if  you 
don't  have  endless  patience.  Why  does  Win¬ 
dows  do  such  a  bad  job  with  Wi-Fi? 

Whatever  value  Samsung  might  think  Win¬ 
dows  brings  to  the  netbook  party  is  irrelevant 
in  the  face  of  what,  at  least  to  my  jaundiced  eye, 
results  in  lackluster  performance. 

So  what  could  improve  on  this  situation?  I 
think  you  know  where  I’m  going  with  this  ... 
yep,  good  of  free  and  open  source  Linux,  and 
specifically  Ubuntu  10.04  (Lucid  Lynx)  Net- 
book  Edition. 


Ubuntu  Net- 
book  Edition 
uses  the  GNOME  window  manager  with  the 
most  excellent  custom  Ubuntu  Netbook  Edi¬ 
tion  (UNE)  interface  and  includes  pretty  much 
every  application  you  might  want  on  a  general 
purpose,  portable  system. 

UNE  is  ridiculously  easy  to  install  and 
knows  about  a  huge  range  of  peripherals;  it’s 
easy  to  configure;  it  isn’t  a  resource  hog;  and 
it  runs  really,  really  fast  even  on  the  1.66GHz 
Atom  N450. 

I  downloaded  UNE, 
installed  it  onto  a  4GB 
USB  drive  ($10  from 
Fry’s!)  using  the  Univer¬ 
sal  USB  Installer,  stuck 
the  USB  drive  in  the 
NB30,  restarted  the  NB30, 
went  into  the  BIOS  set  up 
and  moved  the  USB  drive 
above  the  HDD,  told  the 
BIOS  utility  to  save  the 
configuration,  and,  voila! 
The  whole  process  (other  than  the  download) 
took  minutes  and,  on  reboot,  Ubuntu  Netbook 
Edition  was  up  and  running  in  seconds. 

I  clicked  on  the  Wi-Fi  icon  in  the  menu  bar, 
configured  the  Wi-Fi  subsystem,  and,  another 
voila!  I  was  on  my  network  in  seconds.  None 
of  that  noodling  around  Windows  does  when¬ 
ever  it  connects,  just  straight  online. 

Running  the  OS  from  a  USB  drive  is  great 
for  testing  to  make  sure  everything  works  right 
(on  the  NB30  everything  did;  camera,  mouse, 
keyboard,  Bluetooth,  Wi-Fi)  and  there’s  also 
►  See  Gearhead,  page  21 


IT  asked 
and  answered 

Ron  Nutter  tackles  your 
tough  tech  questions  at 

tinyurl.com/yg2o434 


E  How  can  I  run  an  app 
E  for  Windows  7  x86? 

©  I  will  assume  you  don’t  have 
E  the  source  code  for  the  app  and/ 
or  the  company  that  wrote  it  is 
™  either  no  longer  in  business  or 
E  won’t  support  the  app  on  Win  7. 

While  you  try  to  get  it  ported/con- 
—  verted  you  could  use  virtualiza- 
~  tion  software  to  provide  a  32-bit 
~  environment  on  a  x64  platform. 

This  requires  an  additional 
zz  guest  OS  license  since  you  will 
E  be  running  two  different  OSs  at 
the  same  time.  Your  options  are 
VMware,  Virtual  PC  or  VirtualBox. 
The  application  won’t  run  natively 
in  x64  in  this  situation  but  at  least 
you  can  run  it  on  x64. 1  also  found 
a  site  -  www.rtr.com  -  that 
™  might  be  an  option  as  well.  They 
E;  have  a  good  article  about  porting 

E  apps  —  tinyurl.com/269or33. 

E  If  I  wanted  to  build  a  Founda- 
E  tion  site  to  test  some  upgrade 
E  conversions  on  old  WSS  2.0 
sites  would  I  have  to  install 
E  Foundation  on  a  different 
server  than  the  server  I 
installed  2010  Enterprise 
E  on?  The  current  SharePoint 
E  Enterprise  site  is  2008  R2 
with  SQL  2008  installed. 

E  ©  Since  this  is  a  test  situa¬ 
tion,  I  would  strongly  suggest 
you  set  up  a  completely  isolated 
environment.  Look  at  Virtual  Box 
or  VMWare  to  help  give  you  a  test 
platform.  Foundation  only  works 
on  the  64-bit  version  of  Windows 
so  that  will  need  to  be  factored  in. 
Since  there  are  several  variables 
E  that  you  may  be  working  with, 
starting  in  an  isolated  environ¬ 
ment  will  be  helpful  in  isolating 
=  problems  to  the  base  install  vs. 
operation  in  a  server  farm. 


The  Windows  7 
Starter  edition 

sucks  the  life 

out  of  [the  N  B30] 
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GADGETS 

Catching  up  on  the 
Cool  Tools  backlog 


Keith  Shaw’s 
Cool  Tools 


IT'S  NOT  EVEN  the  holiday  season  yet  and  boxes  have  started  to  arrive  daily.  This  also 
means  I  need  to  catch  up  on  writing  about  some  smaller  items  that  have  been  sitting  around 
for  a  while  that  I  can  talk  about  briefly  without  writing  a  full  review: 


■  I  like  the  iPad  Recliner  from  Lap  Works 
($45),  which  gives  your  iPad  a  place  to  rest 
for  watching  videos,  or  if  you  want  to  try  to 
do  things  with  the  iPad  in  a  vertical  posi¬ 
tion.  You’re  not  just  limited  to  the  iPad  —  if 
you’re  a  Kindle  or  other  e-book  owner,  you 
can  use  this  device  as  well.  The  stand  can 
recline  in  multiple  angles  and  will  support 
the  iPad  in  portrait  or  landscape  modes. 
You  can  also  use  it  with  your  notebook  to 
incline  that  in  a  more  vertical  position. 

■  I  took  a  while  before  deciding  whether  to 
add  GelaSkins  to  my  iPad.  On  the  one 
hand,  the  designs  are  wicked  cool,  and 
they  create  a  unique  look  for  your  iPad. 
My  big  fear  was  that  I’d  mess  up  applying 
the  stickers  on  the  front  and  back  of  the 


iPad,  but  fortunately  the  skins  are  easy  to 
apply  and  take  off.  My  only  concern  —  at 
$30  for  the  stickers,  it  could  be  pricey  if 
you  want  to  put  on  many  skins. 

■  The  iPhone  app  “IcePics”  (99  cents)  doesn’t 
take  photos  of  ice,  but  rather  stands  for  “In 
Case  of  Emergency”.  The  app  is  simple  — 
when  you  open  it,  click  a  button  to  take  a 
photo,  and  the  app  uses  the  phone’s  GPS 
to  mark  your  location  when  you  took  the 
photo.  You  can  set  up  e-mail  addresses 
ahead  of  time,  which  get  sent  an  alert  when 
you  take  a  photo.  The  app  is  designed  for 
users  who  need  to  inform  people  where 
they  are  in  emergency  situations  (lost  hik¬ 
ers,  broken  down  car  and  so  forth),  but  you 
can  also  use  it  as  a  handy  travelogue  (“Hey, 
look  at  this  roadside  attraction!”). 
■  The  official  term  is  “mechani¬ 
cal  keyboard”,  but  I  prefer 
“dicky  keyboard.”  That’s  why 
I  loved  trying  out  the  Adesso 
Full  Size  Mechanical  Gaming 
Keyboard  with  USB  Hub  and 
Audio  Jack  (model  MKB-135B, 
$100).  Long  name,  but  cool  key¬ 
board.  The  audio  tactile  feedback 
sounds  great,  and  to  me  it  feels 
like  I  can  type  faster,  just  like  my 
other  favorite  keyboard,  the  Das 
Keyboard.  The  Adesso  version 
includes  USB  hub  functionality 
(you  have  to  plug  an  additional 
USB  cable  to  enable  that),  as  well 
as  audio  and  microphone  jacks, 
for  systems  where  those  jacks 
are  in  the  back  of  the  computer. 
Also,  the  keyboard’s  N-key  roll¬ 
over  function  lets  you  press  up 
to  six  keys  at  the  same  time,  great 
for  gamers  who  want  to  have  two 
keys  register  at  the  same  time 
(for  diagonal  turns!). 


GelaSkins  designs  are  wicked  cool  and  easy  to  apply. 


Follow  Keith  on  Twitter  at 
http://twitter.com/shawkeith.or 
Facebook  (http://bit.ly/cgVPsQ) 


TRUE  FACT 


Do  Web  2.0 
applications 
interfere  with 
the  security 
posture  of  your 
company? 


►  Gearhead ,  from  page  20 

an  option  to  install  Ubuntu  Netbook 
Edition  to  the  hard  drive  if  you’re 
satisfied. 

The  bottom  line  is  that  Ubuntu 
Netbook  Edition  makes  the  NB30  a 
very  attractive  device.  Under  UNE 
the  NB30  boots  fast,  runs  fast,  has 
a  great  user  interface,  is  incred¬ 
ibly  easy  to  configure  and  makes  the 
machine  a  pleasure  to  use. 

I  can  only  award  one  rating  per  col¬ 
umn  so  I’m  going  to  award  the  com¬ 
bination  of  the  Samsung  NB30  and 
Ubuntu  10.4  Netbook  Edition  a  5  out 
of  5.  With  Windows  7, 1  might  be  able 
to  stretch  to  maybe  a  3.5.  Maybe. 

Gibbs  stretches  in  Ventura,  Calif. 

Tell  him  how  flexible  you  are  at 
gearhead@gibbs.com. 
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CLEAR  CHOICE  TEST:  DUAL-WAN  ROUTERS 


Supersize  your  WAN 

Inexpensive  SMB/branch  office  routers  deliver  advanced  performance  and  security 


BY  JAMES  E.  GASKIN 

Six  years  ago,  we  tested  dual-WAN 
routers  as  a  way  to  pump  more 
bandwidth  into  small  businesses 
that  couldn’t  afford  a  T-l  and  were 
stuck  with  relatively  slow  DSL 
and  cable  connections. 

Today,  speed  is  less  of  an  issue.  For  exam¬ 
ple,  our  suburban  test  lab  has  an  18Mbps 
connection  with  AT&T’s  U-verse  service 
and  15Mbps  (with  burst  downloads  as  high 
as  30Mbps)  with  Time  Warner  Cable’s  Road 
Runner  Turbo. 

The  critical  need  today  is  maintaining  con¬ 
nectivity.  The  ability  for  dual -WAN  routers  to 
combine  throughput  from  two  sources,  con¬ 
tinue  if  one  drops,  then  reconnect  when  the 
link  comes  back  is  a  key  selling  point. 

Of  course,  cost  is  important,  too.  A  T-l  deliv¬ 
ers  better  uptime  than  any  connection  from  a 
phone  or  cable  company,  and  a  synchronous 
connection  in  and  out,  but  at  hundreds  of 
dollars  a  month.  Two  15M  to  20Mbps  small 
business  broadband  connections  combined 
provide  far  more  downstream  throughput 
and  100%  network  redundancy,  all  for  a  total 
of  $80  to  $120  per  month. 

We  tested  six  dual-WAN  routers:  Check 
Point  1000N,  D-Link  DFL-210,  Netgear 
FVS336G,  SonicWall  TZ200,  Trendnet 
BRV324  and  Xincom  DPG603.  All  units  share 
a  fairly  long  list  of  standard  features,  including 
VPN  support,  DMZ  support,  some  level  of  QoS, 
and  firewalls  of  varying  strength  and  granu¬ 
larity.  Several  of  the  more  expensive  units  offer 
intrusion  detection  and  prevention. 

We  found  that  the  ability  to  separate 
traffic  between  two  active  WAN  links  is 
much  improved  compared  with  our  last 
test.  All  units  allow  you  to  weight  one  WAN 


connection  more  heavily  than  the  other  in 
order  to  push  traffic  in  that  direction.  Most 
offer  ways  to  segment  users  or  protocols  to  a 
specific  WAN  link.  All  support  firewalls  capa¬ 
ble  of  passing  the  full  throughput  of  almost  all 
inexpensive  broadband  links  that  will  be  tied 
together  by  these  dual-WAN  routers. 


Dual-WAN  routers  don’t  really  double  the 
throughput  to  any  one  computer,  but  they 
deliver  their  true  worth  when  several  com¬ 
puters  are  pulling  lots  of  traffic.  No  longer 
will  the  video  download  fanatic  suck  up  all 
available  bandwidth. 

In  our  redundancy  testing,  each  router 
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Vendor 

Netgear 

SonicWall 

Xincom 

Trendnet 

Product 

ProSafe  Dual-WAN  Gigabit 
SSL  VPN  Firewall  FVS336G 

TZ200 

XC-DPG603  Twin  WAN 
DNS-to-IP  VPN  Gateway 

BRV324  Dual  WAN 

Advanced  VPN  Router 

Price 

$300 

$400  and  up 

$800 

$195  to  $235 

Pros 

Easy  setup;  easy 
management;  small 
business  friendly  pricing; 
Gigabit  Ethernet  support. 

Easy  to  install  and  manage; 
strong  firewall  and  security 
products;  excellent 
branch  office  option. 

Easy  to  install  and  manage; 
well-done  admin  interface. 

Low  price;  easy  installation 
and  management;  nice 
feedback  on  WAN 
performance. 

Cons 

Fewest  VPN  connections; 
basic  firewall  and  security. 

No  Gigabit  Ethernet; 
multiple  software  options 
increase  cost  and  complexity. 

Basic  firewall  and  security 
features;  relatively  low 
number  of  VPN  connections 
using  IPSec  only. 

Basic  security  modules; 
little  dual-WAN 
configuration  possible. 
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continued  after  one  WAN  link  was  dropped, 
and  recovered  when  the  link  came  back  up. 
The  occasional  five  minute  pause  that  ran¬ 
domly  afflicts  residential  broadband  service 
in  our  area  disappeared,  as  the  second  WAN 
took  up  the  slack  invisibly. 

Our  VoIP  phone  had  connection  troubles 
with  some  routers  when  we  configured 
them  to  split  traffic  based  on  bytes  or  pack¬ 
ets.  Setting  the  load-balancing  metric  to  IP 
addresses  eliminated  those  issues. 

For  small  businesses,  Netgear  and  Trend- 
net  are  priced  right,  easy  to  use,  and  provide 
basic  but  not  overwhelming  firewall  and 
security  support.  For  branch  offices  with 
remote  management  and  security  policies 
to  enforce,  investigate  Check  Point  and  Son- 
icWall  first. 


ProSafe  Dual-WAN  Gigabit 
SSLVPN  Firewall  FVS336G 

Netgear,  despite  its  consumer  roots,  has 
been  making  network  equipment  for  small 
and  midsize  (SMB)  businesses  for  years.  The 
FVS336G,  though  awkwardly  named,  is  the 
result  of  that  experience;  it’s  easy  to  install, 
easy  to  configure  and  easy  to  manage. 

The  box  we  received  contained  only  a 
power  supply,  but  it  was  labeled  “eval”  so 
may  not  have  had  all  the  pieces  normally 
shipped  with  a  retail  unit.  The  lack  of  a 
manual  didn’t  bother  us,  since  the  system 
connected  quickly  and  the  administration 
screens  are  littered  with  context  sensitive 
help  at  the  touch  of  a  question  mark  icon. 

Larger  and  heavier  than  all  the  other  units 


CLEAR 

CHOICE 


because  of  its  steel  case,  the  FVS336G  is  still 
smaller  than  a  hardback  book.  All  the  con¬ 
nections  except  the  power  plug  are  on  the 
front  panel. 

There  are  four  10/100/1000  Gigabit  Eth¬ 
ernet  ports  on  the  front,  and  two  other  ports 
labeled  WAN1  and  WAN2.  One  of  the  four 
LAN  ports  can  be  configured  as  a  DMZ  port. 

Maximum  device  throughput  is  60Mbps, 
one  of  the  slowest  units,  but  still  faster  than 
our  two  broadband  connections  combined. 
It  supports  25  VPN  IPSec  tunnels  as  well  as 
10  SSL  VPN  connections.  The  stateful  packet 
inspection  firewall  provides  admin  pages 
about  as  simple  as  any  firewall  can  be,  with 
separate  pages  for  LAN-WAN,  DMZ-WAN 
and  LAN-DMZ  rules,  and  a  single  button  to 
enable  the  application  layer  gateway  (ALG) 
for  Internet  phone  traffic  using  SIP. 

INSTALLATION  AND  CONFIGURATION 

We  plugged  the  FVS336G  into  our  network 
switch,  connected  the  first  WAN  cable,  and 
turned  it  on.  The  DHCP  server  provided 
the  default  192.168.1.x  address  range  for  our 
computers,  which  connected  to  the  router 
immediately.  The  first  screen  that  came  up 
was  the  monitoring  screen  showing  Router 
Status,  with  WAN1  up  and  connected. 

Setting  the  LAN  range  to  10.0.1.x  was  also 
straightforward.  From  Network  Configura¬ 
tion  on  the  top  of  the  admin  page,  we  went 
to  LAN  Settings.  The  LAN 
address  was  the  top  field, 
and  the  DHCP  settings 
were  right  below.  We  set 
the  range  of  IP  addresses 
for  our  clients,  ignored  the 
option  to  connect  to  a  Light¬ 
weight  Directory  Access 
Protocol  (LDAP),  and  also 
didn’t  put  in  a  special  DNS 
server  address,  preferring 
to  let  the  unit  pass  through 
the  addresses  from  the 
broadband  provider.  After 
hitting  the  Apply  button, 
the  FVS336G  rebooted,  and 
we  rebooted  our  computer 
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D-Link 

Check  Point 

DFL-210  NetDefend  Network 
Security  UTM  Firewall 

Safe@Office  1000N 

$449 

$750,  optional  modules 
and  licenses  run  price 
up  to  $1,250  and  more. 

Strong  firewall  with  high 
granularity,  slightly  faster 
WAN  throughput  than 
the  rest  of  the  group. 

Gigabit  Ethernet,  highest 
firewall  throughput,  400 
VPN  tunnels,  powerful  yet 
easy  to  manage  firewall. 

Painful  install  and 
management,  poor 
documentation. 

High  price  for  small 
businesses,  recurring 
license  and  module  fees. 

to  catch  the  new  IP  address  range. 

Adding  the  second  WAN  connection  was 
just  as  easy.  Going  through  Network  Con¬ 
figuration  to  WAN2  ISP  Settings,  we  had 
the  chance  to  put  in  login  information  if 
necessary  (it  wasn’t),  and  choose  whether 
we  needed  to  use  Point  to  Point  Tunneling 
Protocol  (PPTP)  or  Point  to  Point  Protocol 
over  Ethernet  (PPPoE),  and  provide  a  static 
IP  address  if  necessary.  You  can  again  pass 
through  DNS  server  information  from  your 
ISP  or  put  in  your  own;  we  let  the  Netgear 
box  handle  that  as  before. 

After  rebooting  the  second  broadband 
modem,  the  FVS336G  made  the  connection 
immediately.  The  Monitoring  >  Router  Status 
page  showed  both  WAN  connections  up  and 
running,  with  full  details  on  IP  addresses 
and  primary  and  secondary  DNS  addresses. 
When  we  hit  the  Router  Statistics  icon,  a  page 
that  refreshed  every  five  seconds  appeared, 
listing  the  total  transmit  and  receive  packets 
for  WAN1,  WAN2,  and  the  LAN. 

Juggling  traffic  ratios  between  the  two 
WAN  ports  is  also  easy  to  configure.  A  Port 
Mode  page  allows  you  to  choose  Auto-Roll¬ 
over  between  WAN  ports  by  using  DNS 
or  ping  of  two  addresses  to  monitor  WAN 
health.  The  better  option  is  Load  Balanc¬ 
ing,  and  you  can  tie  any  of  63  protocols  to 
one  WAN  connection  or  the  other.  Want  all 
Session  Initiation  Protocol  phone  packets  to 
go  through  only  one  WAN  link?  Easy  to  con¬ 
figure.  You  can  also  separate  WAN  traffic  by 
source  or  destination  network. 

OPERATION 

For  a  router  with  “Dual-WAN”  in  the  name, 
it’s  surprising  there’s  no  way  to  choose  what 
type  of  packet  load  balancing  should  be  used. 
The  Router  Statistics  display  shows  the 
FVS336G  has  a  marked  preference  for  the 
Time  Warner  cable  connection  in  WAN2  in 
receive  traffic,  but  the  transmit  packet  num¬ 
bers  are  about  equal.  It  does  show  a  break¬ 
down  of  traffic  by  protocol  (e-mail,  Web  and 
other)  which  is  interesting.  Web  traffic  was 
by  far  the  majority. 

There  are  a  dozen  ways  to  track  and  report 
routing  logs,  and  another  10  for  system  logs. 
Even  though  this  product  is  aimed  at  small 
businesses,  you  can  define  a  syslog  server. 
Speeds  were  on  the  high  end  of  average. 

The  FVS336G  is  a  strong  entry  in  the  Dual- 
WAN  market,  and  that’s  before  taking  into 
account  that  it  comes  with  the  second  lowest 
price  tag  of  the  group.  Combining  good  value 
with  good  performance  makes  the  FVS336G 
an  excellent  option  for  small  businesses  with 
fewer  than  50  users  that  don’t  need  a  large 
number  of  VPN  connections. 
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CLEAR  CHOICE  TEST:  DUAL-WAN  ROUTERS 


■ 

2.  SonicWall  TZ200 

The  SonicWall  TZ200  is  the  middle 
product  between  the  TZIOO  and  the 
TZ210,  and  the  smallest  and  lightest 
appliance  in  this  test.  White  and  bright 
and  about  the  size  of  a  CD  wallet,  it  looks 
more  like  an  Apple  product  than  a  fire¬ 
wall.  Prices  for  SonicWall  products 
are  hard  to  pin  down  because,  while 
the  firewall  and  router  have  no  cli¬ 
ent  license  fees,  adding  support  for 
security  features  such  as  enhanced 
client  antivirus  and  antispyware, 

VPN  Client  Windows,  UTM  SSL 
VPNs,  and  a  few  other  options 
requires  user  licenses.  Figure 
around  $400  to  $450  to  start,  and 
tally  up  your  options  from  there. 

One  reason  the  TZ200  is  small 
is  because  it  has  only  five  ports. 

Labeled  X0-X4,  XO  is  defined  for 
a  LAN  and  XI  for  a  WAN.  The 
other  three  can  be  configured  as 
WAN,  LAN  or  DMZ  ports,  so  it’s 
possible  to  connect  four  broad¬ 
band  feeds  to  this  one  box  if  double 
double  redundancy  is  important.  LAN 
ports  support  10/100  Fast  Ethernet  only. 

Maximum  firewall  throughput  is  adver¬ 
tised  at  100Mbps,  which  was  confirmed  in  a 
recent  Network  World  test  by  Joel  Snyder.  The 
unit  supports  up  to  50  IPSec  VPN  tunnels 
along  with  50  SSL  VPN  clients. 

The  only  things  in  the  box  were  the  unit,  the 
power  supply  and  an  Ethernet  patch  cable. 

Wizards  help  with  setup,  starting  with  the 
PortShield  interface  to  set  port  assignments, 
configure  the  firewall  to  provide  public  access 
to  internal  servers,  and  to  set  VPN  policies. 
Nice  touch,  especially  since  no  manual  was 
included  with  the  product  on  paper  or  CD.  If 
dual-WAN  connections  aren’t  enough,  you 
can  buy  two  TZ200s  and  run  them  in  High 
Availability  mode.  You  can  also  connect  a  3G 
modem  to  the  USB  port  in  case  you  want  a 
backup  for  both  WAN  connections. 

INSTALLATION  AND  CONFIGURATION 

Help  is  only  available  online,  which  seems  a 
bit  cheeky  when  selling  a  router.  The  admin 
screen  has  a  question  mark  icon  in  the  upper 
right  corner,  and  the  help  pages  that  appear 
are  context-sensitive  and  well  written  for 
the  non-tech.  Unfortunately,  many  pages 
respond  with  a  404  error.  Once  we  saw  a  mes¬ 
sage  saying  “online  help  for  this  SonicWall 
product  has  not  yet  been  released.”  Surely 
that’s  a  linking  error,  because  this  unit  has 
been  available  for  more  than  a  year.  When 
you  hover  over  an  icon,  you’re  often  rewarded 


with  an  information  bubble. 

The  setup  wizard  appears  the  first  time 
you  connect  to  the  admin  screen  through 
your  browser,  and  can  be  launched  any  time 
thereafter.  Using  a  default  address  range 
of  192.168.168.x,  the  TZ200  provides  client 
addresses  through  its  DHCP  server.  This 


unit  is  the  only  one  that  recommended  a 
strong  password  during  the  setup.  You  make 
your  port  assignments  during  setup,  but  we 
configured  the  system  initially  with  a  single 
WAN  and  added  the  second  later. 

All  the  common  broadband  connection 
types  are  available,  but  the  automatic  connect 
feature  worked.  After  we  elected  to  skip  regis¬ 
tering  the  unit,  we  rebooted  and  our  network 
clients  had  Internet  access. 

Resetting  the  LAN  address  range  to 
10.0.0.x  for  our  test  network  was  a  matter  of 
clicking  the  Network  menu  item  on  the  left, 
and  Interfaces  from  the  expanded  list.  XO,  the 
port  connected  to  the  network  switch,  is  the 
first  listing.  We  clicked  on  the  Configure  icon 
and  changed  the  IP  address.  Then  we  chose 
DHCP  from  the  left  menu  and  changed  the 
client  address  range.  When  we  applied  the 
changes,  the  unit  promised  to  redirect  our 
admin  PC  to  the  new  settings,  reconfigure  the 
PC  to  the  new  settings  and  resume  the  page. 
We  did  have  to  restart  the  admin  utility,  but 
otherwise  the  switchover  worked  perfectly. 

We  added  the  second  WAN  by  plugging 
into  the  X2  port  and  configured  it  for  WAN. 
Then  we  went  to  the  Failover  &  LB  screen 
under  Network  and  chose  between  balanc¬ 
ing  options:  basic  failover,  round  robin, 
spillover  and  ratio.  The  best 
performance  for  our  network 
came  with  ratio,  and  we  set 
the  two  lines  to  share  traffic 


50/50.  The  Failover  &  LB  screen  shows 
statistics  for  the  two  WAN  connections, 
updated  in  more  or  less  real  time. 

OPERATION 

Once  configured,  the  router  became 
invisible,  as  good  routers  do.  Speeds 
during  group  connection  testing  were 
on  the  high  side  of  average  for  the 
group,  and  the  50/50  ratio  gave  the 
best  throughput  for  a  single  com¬ 
puter  speed  test. 

The  default  admin  screen 
shows  system  information,  the 
last  few  log  alerts,  and  network 
interface  assignments  and  sta¬ 
tus.  You  can  monitor  the  traffic 
statistics  on  the  Failover  &  LB 
page.  The  TZ200  also  includes 
a  basic  Packet  Monitor  that 
allows  you  to  capture  traffic 
and  decode  most  of  the  packet 
detail.  Logs  can  be  exported  or 
e-mailed  on  a  defined  schedule 
or  when  full. 

SonicWall  products  tend  to 
fit  in  the  middle  between  basic 
devices  with  little  configuration  or 
security  options  and  the  high  end  units  too 
complicated  for  small  and  midsize  busi¬ 
nesses.  While  the  TZ200  has  as  much  or 
more  firewall  and  security  control  than  any 
unit  tested,  non-techs  can  install  this  unit 
with  little  effort. 

Small  businesses  looking  for  all  the 
upgrades  may  be  surprised  at  the  cost  if  they 
think  of  the  TZ200  as  just  a  router.  For  a 
small  business  or  branch  office,  the  SonicWall 
TZ200,  fully  loaded  with  security  modules  or 
not,  can  be  all  the  routing  and  security  needed, 
no  matter  how  simple  or  complicated  its  secu¬ 
rity  policies. 

3b  Xincom  XC-DPG603  Twin 
WAN  DNS-to-IP  VPN  Gateway 

This  is  the  top  of  the  three-member  DPG  fam¬ 
ily  from  Xincom.  Its  top-end  X16-R  supports 
up  to  eight  broadband  connections,  and  its 
ParaLynx  70G  includes  wireless  support. 

Another  unit  with  straightforward  ports, 
the  XC-DPG603  has  four  10/100  Ethernet 
ports  and  two  WAN  ports.  All  the  ports  are 
in  the  back  with  status  lights  in  the  front,  and 
ears  are  included  if  you  want  to  rack  mount 
the  9.5  x  5.5  inch  blue  metal  box. 

The  max  throughput  is  “over 
50Mbps”  according  to 
Xincom,  and  the  unit 
supports  30  IPSec  VPN 
tunnels.  Officially  rated  the 
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CLEAR  CHOICE  TEST:  DUAL-WAN  ROUTERS 


slowest  in  throughput  of  the  group  tested,  the 
practical  speed  results  during  our  tests  were 
about  in  the  middle  of  the  pack,  depending  on 
which  load  balancing  method  was  used. 

INSTALLATION  AND  CONFIGURATION 

Included  with  the  DPG603  are  two  Ethernet 
patch  cables,  a  manual  on  CD,  and  a  quick 
start  guide  printed  on  old-fashioned  paper. 
Connecting  a  broadband  link  to  WAN1  brings 
up  the  admin  login  screen,  followed  by  the 
screen  to  set  a  password.  The  administration 
screen’s  top  menu  item  on  the  left  is  Basic 
Configuration,  and  everything  you  need  to 
set  is  right  there.  A  question  mark  icon  pops 
up  context  sensitive  screens  that  are  hosted 
on  the  router,  so  you  can  get  help  if  you  have 
trouble  getting  the  unit  connected  to  the  Inter¬ 
net,  a  nice  touch. 

The  WAN  connection  supports  Dynamic 
and  Static  IP  addresses,  PPPoE  and  PPTP.  Our 
connection  established  automatically,  and  we 
moved  to  the  LAN  and  DHCP  settings. 

We  changed  the  192.168.1.x  default  LAN 
address  range  with  10.0.1.x,  added  the  DHCP 
range  for  client  computers  and  submitted  the 
changes.  After  rebooting  our  admin  PC  to  get 
the  new  IP  address,  we  had  Internet  access 
and  properly  configured  clients. 

Adding  the  second  WAN  was  just 
as  easy.  The  Interface  page  showing 
Primary  Setup  is  a  drop  down,  and 
selecting  WAN2  was  as  simple  as  point 
and  click.  The  same  WAN  connection 
options  held  for  our  second  WAN,  and 
we  were  connected  to  both  WANs  quickly. 

The  next  choice  on  the  left-hand  menu, 
Advanced  Port,  offered  Load  Balancing  as  the 
second  item.  Four  load-balancing  methods 
are  provided:  Bytes,  Packets,  Sessions  Estab¬ 
lished  and  IP  Addresses.  That  same  screen 
shows  overall  statistics,  listing  the  load  share 
between  WAN1  and  WAN2  and  the  total  bytes 
transmitted  and  received  across  both. 

OPERATION 

The  admin  page  shows  System  Status  with 
one  of  the  better  information  summations 
of  the  tested  routers.  The  first  group  shows 
which  WAN  lines  are  connected,  and  a  Forced 
Renew  button  for  each  to  release  and  then 
reconnect  via  DHCP.  The  IP  addresses  for 
both  WAN  ports  appear  next,  along  with  DNS 
information,  followed  by  similar  information 
for  the  LAN  segments.  Device  information 
and  uptime  statistics  fill  the  rest  of  the  page. 

The  next  menu  item  is  WAN  Status,  and 
that  displays  overall  WAN  statistics  over  the 
previous  hour.  Total  bytes,  packets  and  aver¬ 
age  bandwidth  displays  give  more  informa¬ 
tion  than  the  other  units,  all  gathered  in  one 


convenient  screen.  It  handily  shows  the 
traffic  percentage  between  the  two  WAN  con¬ 
nections  for  each  type  of  traffic  statistic. 

We  found  that  using  packets  as  the  load¬ 
balancing  method  rather  than  bytes  delivered 
slightly  better  speeds,  but  caused  our  Vonage 
phone  some  connection  grief.  WAN2,  the 
Time  Warner  Cable  link,  tended  to  be  more 
popular  and  carry  more  traffic,  a  trend  that 
occurred  in  most  of  the  other  units. 

The  easy  installation,  clean  menu  and 
common-sense  information  displays  on  the 
admin  utility  make  this  the  most  small  busi¬ 
ness  friendly  unit.  Those  looking  for  ways  to 
set  complicated  firewall  rules  will  be  disap¬ 
pointed,  since  the  DPG603  focuses  far  more 
on  dual-WAN  routing  than  on  firewall  and 
security. 

Other  LAN  management  tools,  such  as 
Quality  of  Service,  are  available.  You  can  man¬ 
age  the  unit  remotely  from  stations  within  a 
specified  IP  address  range,  for  instance,  and 
SNMP  is  supported. 

More  for  SMBs  looking  for  a  dual-WAN 
router  than  a  company  looking  for  complex 
security  configurations,  the  DPG603  works 
invisibly  after  configuration.  Any  power  user 
can  install  and  maintain  this  unit  with  ease. 


4«  Check 
Point  Safe@Office  1000N 

It’s  hard  to  miss  a  Check  Point  appliance, 
because  they  all  have  bright  orange  boxes  and 
bright  yellow  front  panels.  The  1000N  is  no 
exception,  and  the  small  metal  box  with  the 
gaudy  paint  job  stands  out.  Check  Point  has 
a  large  number  of  security  products,  but  the 
Safe@Office  1000N  and  the  wireless  enabled 
1000NW  are  the  only  small-business-specific 
products. 

All  the  connections  are  on  the  back  of  the 
box,  with  status  lights  on  the  front.  There  are 
four  10/100/1000  Gigabit  Ethernet  ports, 
one  dedicated  WAN  port,  a  combo  WAN2/ 
DMZ  port,  and  a  console  RJ4S  serial  port. 
Accessories  include  a  serial  to  RJ-45  cable  for 
command-line  fans,  an  Ethernet  patch  cable, 
a  documentation  CD,  an  illustrated  Getting 
Started  Guide  and  a  sales  pitch  for  optional 
advanced  services  features. 

Check  Point  calls  the  1000N  a  firewall 
more  than  a  router,  and  it  advertises  gigabit 
throughput,  plus  400  VPN  tunnels  that  can 
run  as  fast  as  200Mbps.  You  can  also  run 


two  1000N  units  linked  together  for  high 
availability. 

Since  there  are  multiple  optional  software 
modules,  setting  the  price  for  the  1000N  can 
be  difficult.  Check  Point  says  the  price  starts 
at  $750,  but  street  prices  range  from  $850  to 
$1,250  depending  on  the  number  of  users  and 
the  installed  modules.  The  price  tag  may  give 
smaller  businesses  pause,  but  IT  departments 
buying  for  branch  offices  can  justify  the  price 
based  on  the  firewall  throughput  speeds  and 
comprehensive  security  modules  available. 

INSTALLATION  AND  CONFIGURATION 

Following  the  Getting  Started  Guide  is 
easy.  Connect  WAN1,  connect  your  network 
and  configuration  computer,  and  turn  on 
the  1000N.  The  client  will  receive  a  DHCP 
address  in  the  192.168.10.x  range,  slightly  dif¬ 
ferent  than  most  default  addresses.  You  don’t 
have  to  remember  that,  however,  to  connect 
to  the  admin  utility,  because  you  use  http:// 
my.firewall  to  access  the  router. 

The  setup  wizard  forces  you  to  set  a  pass¬ 
word  with  at  least  five  characters,  then  the 
Internet  wizard  takes  over.  Perhaps  “wizard” 
is  a  little  overblown,  since  it  basically  asks  for 
the  type  of  broadband  connection,  then  tries 
to  connect.  We  linked  up  first  time  with  no 
issues.  Almost  immediately  we  had 
Internet  access  through  the  1000N. 

Changing  the  LAN  IP  address 
range  was  also  simple.  Both  the 
LAN  IP  address  settings  and  DHCP 
range  are  on  the  Network  >  My  Net¬ 
work  page,  found  by  clicking  the  Edit  icon 
on  the  LAN  section.  Reboots  all  around,  and 
the  LAN  address  is  changed 

Adding  in  the  second  WAN  link  was  also 
simple.  Network  >  Internet  page,  then  edit 
the  secondary  WAN  link.  After  a  quick  trip 
through  the  WAN  choices  and  a  reboot  of  the 
cable  modem,  the  1000N  grabbed  hold  and 
connected. 

Just  below  the  Internet  connection  listing  is 
the  WAN  Load  Balancing  controls.  They  use  a 
very  simple  metaphor:  an  on/off  switch.  Slide 
the  switch  to  ‘On’  and  both  lines  share  traffic. 
You  have  no  control  over  what  type  of  load 
balancing  is  used,  but  you  can  set  the  ratios 
between  the  two  WAN  connections. 

We  found  that  the  control  is  hidden  far  too 
deeply.  You  have  to  click  through  Network  > 
Internet  >  Edit  Connection  >  Show  Advanced 
Settings,  then  scroll  to  the  bottom  of  the  page 
to  the  Load  Balancing  Weight  field.  The 
default  is  a  50/50  traffic  split  between  broad¬ 
band  lines. 

OPERATION 

The  1000N  ships  with  90-day  trial  versions 
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of  gateway  antivirus  updates,  antispam, 
URL  filtering,  Dynamic  DNS,  and  special 
logging  and  report  utilities.  When  you  open 
the  admin  screen,  a  sales  pitch  for  service 
upgrades  awaits.  Past  that,  there’s  not  a  great 
screen  that  monitors  the  dual-WAN  connec¬ 
tion  for  traffic. 

The  best  is  Reports  >  Networks  to  bring  up 
the  Network  Interface  Monitor  page.  Click¬ 
ing  on  the  tree  menu  displays  the  connection 
details,  including  packets  sent  and  received. 
You  can  refresh  the  screen  but  not  clear  the 
statistics,  making  it  harder  to  see  if  a  ratio 
adjustment  makes  a  difference. 

Even  without  much  control,  performance 
is  right  in  line  with  the  other  units.  When  net¬ 
work  traffic  is  light,  the  lOOON  will  maximize 
bandwidth  well,  but  most  of  the  time  perfor¬ 
mance  is  about  average  for  the  group. 

Though  firewall  details  are  beyond  our 
purview  for  this  review,  the  lOOON  does 
a  good  job  making  them  understandable. 
Going  to  Security  >  Firewall  displays  another 
sliding  switch  to  set  the  security  level  to  low, 
medium  (the  default),  high  or  block  all. 

The  SmartDefense  system,  Check  Point’s 
Intrusion  Detection  System  and  Intrusion 
Prevention  System,  displays  a  tree  list  on  the 
left  with  explanations  and  default  settings 
explained  in  the  right  side  of  the  window. 

Much  like  the  SonicWall  TZ200,  the  Check 
Point  lOOON  offers  enterprise-level  security 
granularity  in  a  presentation  that  won’t  scare 
off  non-experts.  But  the  SmartDefense  controls 
combined  with  sliding  settings  give  lOOON 
the  edge  for  being  easier  to  understand.  Add  in 
the  fact  the  complexity  is  there  for  larger  com¬ 
panies  providing  these  to  branch  offices,  and 
you  have  a  security  appliance  that  covers  both 
ends  of  the  IT  experience  spectrum. 

5.  D-Link  DFL-210  NetDefend 

Network  Security  UTM  Firewall 

The  smallest  unit  of  the  D-Link  NetDefend 
family,  the  DFL-210  is  a  dark-gray  metal  box 
about  6x8  inches,  second  largest  of  the  group 
tested  but  still  relatively  small.  All  the  con¬ 
nections  are  in  the  back  with  lights  for  power 
and  status,  Ethernet,  WAN  and  DMZ  ports 
on  the  front.  Air  vents  on  both  ends  and  the 
top  mean  you  need  to  place  the  unit  in  the 
open  for  air  flow. 

Included  are  two  Ethernet  patch  cables,  the 
power  supply  and  a  documentation  CD.  Unfor¬ 
tunately,  the  Quick  Installation  Guide  is  only 
on  CD,  with  no  paper  version.  Worse,  the  guide 
has  errors.  Also  included  are  a  Firewall  Reg¬ 
istration  Manual  (that’s  on  paper)  and  a  serial 
console  cable  for  a  command  line  interface. 

The  last  two  items  give  a  strong  clue  to  the 


strength  of  the  DFL-210  —  it’s  much  more 
a  complex  firewall  that  supports  dual-WAN 
connections  than  a  small  business  router 
with  a  firewall.  D-Link’s  marketing  says  this 
is  a  Small  Office/Home  Office  (SOHO)  prod¬ 
uct,  but  it  was  the  most  difficult  of  all  units 
tested  to  install  and  configure.  This  unit  will 
frustrate  most  small  businesses  that  try  to 
install  it  themselves.  That  said,  once  up  and 
running,  the  unit  was  rock  solid  and  did  a 
better  job  wringing  slightly  better  speed  from 
the  dual-WAN  connection  than 
all  the  other  units. 

FEATURES 

The  DFL-210  has 
four  Fast  Ethernet 
(100Mbps)  network  con¬ 
nections,  one  dedicated  WAN 
port  and  a  DMZ  port  that  does  double  duty  as 
the  second  WAN  port.  Maximum  firewall 
throughput  is  80Mbps,  which  is  better  than 
most  of  the  other  units.  VPN  throughput  is  up 
to  25Mbps  spread  across  a  maximum  of  100 
tunnels.  A  highly  configurable  firewall  leads 
the  security  package  that  includes  intrusion 
detection  and  prevention.  Tools  for  traffic 
management  and  QoS  are  included  as  well  as 
SNMP  support. 

User  authentication  through  RADIUS  and 
LDAP  help  the  DFL-210  integrate  into  a  large 
network,  another  indication  this  isn’t  really  a 
SOHO  device,  but  can  work  fine  in  a  branch 
office  setting.  Remote  management  controls 
are  set  by  some  of  the  many  firewall  policies, 
which  include  NAT,  Port  Address  Transla¬ 
tion  and  Static  Address  Translation . 

Gather  your  lucky  charms  and  stroke  your 
rabbit  foot  for  good  luck  before  starting  to 
install  the  DFL-210.  Make  your  own  luck  by 
turning  off  the  popup  blocker  in  your  browser 
on  the  computer  you  use  to  install  the  unit. 
Why?  The  setup  screen  appears  only  once 
as  a  popup,  and  if  you  don’t  catch  it,  you  have 
to  use  a  different  computer  or  reset  the  unit 
to  factory  settings  and  try  again.  The  Setup 
screen  is  supposed  to  be  visible  on  the  main 
status  line  in  the  administration  software,  but 
it  only  appears  one  time  on  each  computer 
used  to  run  the  admin,  never  to  be  seen  again, 
unless  the  unit  is  reset  to  factory  settings  and 
the  process  started  over. 

Since  DHCP  is  disabled  (the  only  unit 
tested  so  configured),  you  must  prepare  a 
PC  in  the  192.168.1.x  address  range  to  start 
the  setup  process.  The  first  screen  right¬ 
fully  demands  you  change  the  admin  user’s 
password  away  from  the  default,  but  doesn’t 
enforce  or  even  suggest  creating  a  strong 
password.  Time  and  timezone  settings 
come  next,  but  an  option  to  add  external 


timeservers  doesn’t  appear  until  later. 

Next,  you  choose  your  broadband  con¬ 
nection  for  your  WAN  interface.  Standard 
options  for  static,  DHCP,  PPPoE,  and  the 
PPTP  follow  as  with  all  other  units.  As  a 
nod  toward  D-Link’s  international  sales,  an 
option  for  Big  Pond  finishes  up  the  list. 

Finally  you  get  a  chance  to  turn  on  the  DHCP 
server  to  parcel  out  client  addresses,  and  put 
your  address  range  for  clients.  Next  you  have 
to  add  the  default  gateway  (unneces¬ 
sary  in  other  units)  and  type 
in  your  DNS  server  IP 
addresses. 

The  DFL-210  does  not 
include  a  DNS  server.  If 
you  put  the  same  IP  address 
in  the  DNS  field  as  the  default  gateway,  as 
you  do  with  all  other  units  tested  here,  your 
network  clients  will  not  be  able  to  resolve 
URLs  because  they  won’t  be  linked  to  a  real 
DNS  server.  For  our  tests,  we  used  Google’s 
free  public  DNS  addresses  of  8.8.8.8  and 
8.8.4.4,  both  of  which  were  passed  to  clients 
as  requested. 

Next  comes  the  “helper”  servers,  including 
addresses  for  up  to  two  syslog  servers  and 
two  more  external  time  servers.  This  ends 
the  setup  process,  and  when  you  click  the 
Activate  button,  all  the  details  will  be  saved 
to  the  DFL-210. 

This  is  actually  a  nice  touch.  Using  the 
admin  utility  through  a  browser,  the  Config¬ 
uration  drop-down  menu  has  three  options: 
Save  and  Activate  (as  just  done),  Discard 
Changes  and  View  Changes.  When  fighting 
through  more  complicated  configurations 
to  make  the  unit  usable,  as  we  had  to  do  sev¬ 
eral  times,  a  list  of  planned  changes  ready  to 
be  implemented  gave  us  a  chance  to  double 
check  before  hitting  Save  and  Activate. 

OPERATION 

Once  restarted,  network  clients  will  have 
access  through  the  DFL-210’s  firewall  and 
security  policies  to  the  Internet  through  the 
WAN  port.  Converting  the  DMZ  port  for 
duty  as  the  second  WAN  port  takes  some 
effort,  none  of  which  is  detailed  in  the  manual. 
Luckily,  the  technical  support  person  we  used 
knew  his  product  well  and  communicated 
even  more  clearly. 

All  rules  and  policies  refer  to  named  objects, 
such  as  lanjp  and  wan_dns2,  rather  than 
actual  addresses.  The  table  matching  names 
to  addresses  is  the  Address  Book  where  we 
changed  the  DMZ  port  address  to  match  the 
second  broadband  IP  address,  then  created 
a  group  that  linked  LAN  traffic  to  both  the 
WAN  and  DMZ  (now  WAN2)  ports. 

There  are  three  options  for  WAN  load 
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balancing:  Round  Robin,  Destination  and 
Spillover.  Round  Robin  sends  alternate  packets 
through  alternate  WAN  ports,  and  resulted  in 
better  bandwidth  usage  than  any  other  router 
we  tested.  However,  if  clients  outside  connect 
via  Secure-HTTP  for  any  reason,  the  Round 
Robin  alternate  sources  confuse  the  client,  so 
Destination  is  the  best  choice  in  that  case. 

Feedback  is  just  about  non-existent.  To 
track  how  many  packets  are  coming  and 
going,  you  must  choose  Status  on  the  status 
line,  then  Interface.  A  screen  named  Interface 
Status  appears,  showing  details  from  a  single 
interface  at  a  time.  The  only  performance  feed¬ 
back  is  a  text  listing  of  packet  and  bytes  in  and 
out  for  that  interface,  along  with  the  number 
of  errors  and  dropped  packets. 

Although  changing  the  LAN  IP  address 
from  the  default  192.168.1.x  to  our  test  lab’s 
10.0.1.1  is  technically  only  a  matter  of  chang¬ 
ing  the  lan_ip,  lannet,  and  lan_dhcpserver_ 
range  and  activating  the  changes,  we  missed 
the  time  window  to  connect  using  the  changed 
LAN  address  from  our  admin  computer.  We 
could  never  connect  to  the  unit  after  that  until 
we  reset  it  back  to  factory  defaults  and  started 
the  setup  all  over  again.  We  then  left  the  DHCP 
address  at  the  default,  because  the  aggrava¬ 
tion  wasn’t  worth  trying  that  a  second  time. 

D-Link  likes  to  advertise  that  its  small  busi¬ 
ness  products  have  “enterprise  features,”  and 
the  DFL-210  certainly  has  them.  However,  it 
also  has  enterprise  complexity  for  setup  and 
configuration.  Once  through  that  aggravation, 
however,  the  DFL-210  provided  the  fastest 
average  throughput  rate  during  our  testing 
by  a  small  margin. 

0BTrendnet  BRV324  Dual 
WAN  Advanced  VPN  Router 

A  metal  box  with  all  the  plugs  in  the  back  and 
status  lights  on  the  front,  the  Trendnet  Dual 
WAN  Advanced  VPN  Router  covers  the  same 
price  range  as  Netgear.  Four  10/100  Fast  Eth¬ 
ernet  ports,  along  with  separate  WAN1  and 
WAN2  ports,  fill  the  back  of  the  unit.  The  nine- 
pin  serial  port  for  a  console  connection  looks 
positively  nostalgic  in  today’s  world  of  RJ-45 
and  USB  ports. 

The  BRV324  advertises  support  for  70 
IPSec  and  10  PPTP  VPN  connections,  or  100 
pass-through  sessions  with  IPSec,  PPTP  and 


How  we  tested  the 
WAN  routers 

Our  suburban  test  lab  includes 
AT&T  U-verse  rated  at  18Mbps, 
and  Time  Warner  Cable  data 
access  rated  at  15Mpbs  with  "Turbo” 
mode  for  faster  downloads.  Each 
router  was  configured  with  a  single 
WAN  connection  first  and  then  reset 
for  a  new  IP  address  range.  Once  the 
router  was  up  and  running,  a  second 
WAN  link  was  added.  We  then  ran 
real  world  tests  for  multiple  days, 
tracking  throughput  and  service 
issues.  We  also  used  the  monitoring 
utilities  provided  by  the  routers  to 
track  how  the  traffic  flowed  between 
the  two  WAN  connections. 


L2TP.  There’s  no  firewall  throughput  num¬ 
ber  published,  but  the  speeds  for  the  BRV324 
across  two  broadband  connections  are  in  the 
same  range  as  all  the  other  units.  A  color  illus¬ 
trated  Quick  Installation  Guide  is  included, 
along  with  a  CD  manual  and  an  Ethernet 
patch  cable. 

INSTALLATION  AND  CONFIGURATION 

Using  an  IP  address  range  of  192.168.0.1  is 
just  different  enough  to  avoid  conflicting  with 
existing  addresses.  Plugging  in  our  network 
switch  and  the  first  WAN  link,  then  turning  on 
the  computer,  passed  a  client  DHCP  address 
properly  to  our  configuration  computer. 

Using  the  browser  to  log  in  to  the  admin 
screens,  we  went  to  Setup  and  set  the  WAN 
connection  type,  choosing  between  Static  IP, 
Dynamic  IP  (DHCP),  PPPoE  and  PPTP.  The 
WAN  connected  as  it  should. 

Changing  the  LAN  IP  address  range  was 
a  simple  matter  of  clicking  Setup  >  LAN  Port 
to  find  the  LAN  IP  address  field.  Right  below 
that  is  the  enable  DHCP  server  checkbox  and 
the  IP  address  range.  A  quick  save  and  reboot, 
and  our  network  was  up  and  running. 

Adding  the  second  WAN  link  was  only  a 
matter  of  plugging  into  the  WAN  port,  choos¬ 
ing  the  WAN  connection  type  on  the  same 
screen  as  earlier,  and  both  WANs  were  up 
and  running. 

Load  Balance,  a  menu  option  under  Setup 
on  the  left-hand  menu,  offers  a  choice  between 
Connection  and  Bandwidth  for  the  load  bal¬ 
ancing  metric.  Unfortunately  for  a  product 
with  Dual  WAN  in  the  name,  the  BVR324 
includes  no  helpful  information  about  how 
the  WAN  balancing  should  be  chosen.  A 


field  named  Primary  Port  Proportion,  with  a 
default  setting  of  50,  is  the  only  place  to  define 
if  one  WAN  link  should  be  given  priority  over 
the  other. 

Interestingly  for  a  product  at  this  level,  the 
BRF324  offers  an  easy  table  to  direct  traffic  to 
one  WAN  link  or  the  other  with  a  pick  list  of 
42  protocols  to  direct  to  the  second  WAN  con¬ 
nection.  We  doubt  many  small  businesses  will 
go  to  this  trouble,  but  it’s  an  interesting  option 
on  a  low-priced  router. 

OPERATION 

The  opening  screen  of  the  admin  utility  is 
the  General  Status  page.  Details,  addresses 
and  connection  status  for  WAN1,  WAN2, 
LAN,  the  firewall,  the  system  kernel,  and  the 
system  details  such  as  firmware  version  and 
system  uptime  are  all  available  by  scrolling 
down  the  page. 

Surprisingly,  the  least-expensive  router  in 
the  group  has  the  only  colored  display  screen. 
Under  Status  >  Port  Status,  a  colored  pie  chart 
sized  with  heaviest  users  sits  beside  a  network 
throughput  graph  tracking  levels  over  time. 
This  is  the  only  report  that  tracks  through¬ 
put,  but  it  only  shows  connections  and  speed 
rather  than  totals  of  bytes  or  packets.  But  at 
least  there’s  a  pie  chart. 

Although  the  CD-based  manual  has  good 
tutorial  information  on  setting  up  a  VPN,  the 
material  needs  a  refresh.  Windows  XP  is  no 
longer  the  new  client  on  the  block,  and  Win¬ 
dows  2000  no  longer  powers  the  majority  of 
user  computers. 

Accessibility  and  a  clear  menu  structure  in 
the  admin  utility  makes  the  BVR324  a  good 
choice  for  small  businesses  without  expert 
help  on  staff. 

However,  perhaps  to  keep  from  confusing 
users,  the  BVR324  tells  them  almost  nothing 
about  the  central  dual-WAN  support  at  the 
core  of  the  product. 

Outside  of  those  quibbles,  the  price  and 
performance  of  the  BVR324  makes  it  an  excel¬ 
lent  option  for  small  businesses  looking  for  an 
affordable  dual-WAN  connection  router. 

Summary 

Dual-WAN  routers  have  come  a  long  way. 
WAN  connections  are  easier  to  establish,  and 
all  units  we  tested  have  configurable  load 
balancing.  The  performance  increase,  not 
to  mention  the  redundant  Internet  connec¬ 
tions  that  all  but  guarantee  uptime,  should 
put  these  dual-WAN  routers  at  the  top  of  the 
shopping  list  for  every  small  business  that 
needs  a  router. 

Gaskin  is  an  author,  consultant  and  speaker. 
He  can  be  reached  at  james@gaskin.com. 
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A  Simple  Phone  Call  Provides  Strong, 
Cost  Effective  Two-Factor  Authentication 
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your  account  remains  secure." 
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Password:  •  •••••’" 
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user  logins  with  an  automated 
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Need  Cables? 
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Leave  it  to  us!  Our  job  is  to  make  sure  the  cables  are 
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them  -  colors,  length,  labeling,  kitting,  packaging... 
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Instantly  Search  Terabytes 

♦  25+  full-text  and  fielded  data  search  options 
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♦  Spider  supports  static  and  dynamic  web  data;  highlights  hits  with 
links,  formatting  and  images  intact 

♦  API  supports  C++,  .NET,  Java,  SQL,  etc.  .NET  Spider  API. 

Includes  64-bit  (Win/Linux) 

♦  Fully-functional  evaluations  available 


^traction  only  licenses  also  available 


"Bottom  line:  dtSearch  manages  a  terabyte  of  text  in  a  single  index 
and  returns  results  in  less  than  a  second"  —  InfoWorld 

dtSearch  "covers  all  data  sources  ...  powerful  Web-based  engines" 

—  eWEEK 

"Lightning  fast ...  performance  was  unmatched  by  any  other  product" 

—  Redmond  Magazine 

For  hundreds  more  reviews,  and  hundreds  of  developer 
case  studies,  see  www.dtSearch.com 


•  www.dtSearch. 

for  Text  Retrieval®  since  1 


ATTENTION  IT  MANAGERS 


(Cover  Your  Assets) 
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with  the  SuperGoose  II  Environment  Monitor 


Built-in  Sensors:  Temperature,  Humidity,  Airflow,  Light  &  Sound 
Remote  Digital  Sensors  &  Analog  Inputs  (0  -  5VDC) 


SuperGoose  II 


Access  With  Web  Browser 
Alerts  via  Email  or  SNMP 
LCD  Display  &  Audible  Alarm 
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BACKSPIN  BY  MARK  GIBBS  !lllliliillltlilll!i!illllll!ll!!llimimil!li!lll!lllimil 

If  net  neutrality  dies,  blame  the  comms  junkies 


“When  [cellular]  subscribers  sign  up  for  service, 
they  want  their  network  to  move  data  —  not  to 
choose  which  companies  are  wealthy  enough  to 
buy  access  to  subscribers.  Without  vital  net  neutrality  protections,  companies 
with  commercial  incentive  to  limit  the  free-flowing  Web,  like  T-Mobile,  Verizon 
and  Comcast,  can  decide  who  will  have  a  voice  online.  These  companies  should 
not  have  the  power  to  determine  anyone’s  fate  on  the  Internet.  ” 

—Joel  Kelsey,  Political  Adviser,  Free  Press 

Nicely  put:  Who  will  have  a  voice  online  is,  indeed,  the  core  issue. 

What  prompted  Kelsey’s  comments  was  the  recent  announcement 
that  T-Mobile  was  stepping  definitively  away  from  net  neutrality  (the 
idea  that  carriers  should  not  be  allowed  to  shape  data  traffic  for  their 
own  commercial  ends)  and  planning  to  make  Google  and  Apple  “pay 
to  play”  when  it  comes  to  video  traffic. 

If  T-Mobile  has  its  way,  Google,  Apple  and  probably  every  other 
company  with  the  kind  of  consumer  success  that  generates  signifi¬ 
cant  traffic  will  be  sent  a  bill.  The  result  will  be  no  pay,  no  play.  Should 
T-Mobile  get  away  with  this,  then  it’s  pretty  much  a  foregone  conclu¬ 
sion  that  every  other  cellular  carrier  will  follow  suit. 

What  T-Mobile  and  the  other  carriers  who  provide  Internet  data  ser¬ 
vices  (both  wired  and  cellular)  are  missing  is  that  these  video  services 
are  “pulled”  by  the  consumer,  not  “pushed”  by  YouTube.  This  means 
it  is  a  choice  by  the  consumer. 

Now,  call  me  crazy  but  it  seems  that  any  attempt  to  control  what 
users  can  and  cannot  see,  even  if  it  is  by  just  by  limiting  performance, 
has  to  be  censorship  and  we  can  pretty  much  guess  how  this  will  play 
out.  First  it  will  be  argued  that  this  is  just  for  video  and  it’s  for  the  good 


of  the  network,  then  certain  types  of  content,  both  video  and  Web,  will 
get  blocked  for  political  or  outright  commercial  reasons,  and  then,  step 
by  step,  our  rights  will  be  eroded  until  we’re  all  paying  way  more  but 
only  for  what  the  powers-that-be  allow  us  to  see. 

It  seems  to  me  that  any  such  move  by  T-Mobile  would  have  to  violate 
the  agreed  terms  of  service  and  require  a  revised  agreement.  The  obvi¬ 
ous  consumer  move  should  be  to  take  that  as  an  opportunity  to  switch 
carriers  without  incurring  any  kind  of  early  termination  fee. 

The  same  situation  applies  to  Verizon’s  mooted  termination  of  its 
unlimited  data  plan  and  AT&T’s  recent  termination  of  its  similar  plan: 
Given  that  these  are  material  and  significant  changes  to  the  contract, 
users  should  be  able  to  say  “so  long”  without  having  to  cough  up  ETFs. 

But  wait!  It  looks  like  all  of  the  major  carriers  are  doing  the  same 
thing,  so  other  than  leaving  a  carrier  you  don’t  like  for  one  you  might 
like,  you’ll  still  be  losing  out.  Isn’t  that  market  fixing? 

Even  if  the  carriers  aren’t  explicitly  agreeing  to  all  do  the  same  thing, 
the  fact  that  they  are,  actually,  all  doing  the  same  thing  that  isn’t  in  the 
consumer’s  interest  should  raise  all  sorts  of  red  flags. 

The  problem  is  that  consumers  are  addicted  to  their  comms.  They 
are  all  hooked  on  their  iPhones,  their  Droids  and  their  BlackBerrys. 
So,  for  example,  will  iPhone  users  leave  AT&T  because  the  company 
is  changing  the  deal?  Nope,  they  won’t.  And  thus,  the  heart  of  the 
battle  for  net  neutrality  could  be  lost  because  consumers  have  become 
comms  junkies.  8 

Gibbs,  in  Ventura,  Calif.,  has  a  12-step  program  for  comms  addiction. 
Sign  up  backspin@gibbs.com. 
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NETBUZZ  BY  PAUL  MCNAMARA  lllilllllllllllllillllllillf lllillllllillilil!illlll!lll 

Putting  IE’s  market  share  gains  in  perspective 


MUCH  IS  being  made  of  the  fact  that  Micro¬ 
soft  has  at  least  temporarily  stanched  the 
bleeding  in  terms  of  Internet  Explorer’s 
market  share,  and,  in  fact,  has  managed  to  nudge  the  number  upward 
slightly  in  each  of  the  past  two  months. 

According  to  a  report  from  NetApplications  released  last  week, 
IE  has  gained  about  1%  over  that  time,  mostly  at  the  expense  of  Fire- 
fox  and  Chrome.  Interesting,  notable  and  probably  has  their  atten¬ 
tion  at  Mozilla  and  Google.  However,  it’s  also  in  need  of  historical 
perspective. 

The  July  report  leaves  the  top  three  at:  IE,  60.74%;  Firefox,  22.91%; 
and,  Chrome,  7.16%.  A  year  ago,  Microsoft  had  a  touch  under  68%  of 
the  market,  Firefox  was  just  about  where  it  stands  now,  and  Chrome 
was  just  climbing  out  of  the  crib  at  2.59%.  IE  has  lost  10%  over  the  past 
12  months,  while  Chrome  has  almost  tripled  its  share. 

But  let’s  hop  into  the  time  machine  and  travel  all  the  way  back  to 
a  2004  ‘Net  Buzz  column  (pre-blogging  for  me):  “Bill  Gates  will  hold 
a  yard  sale  to  help  make  ends  meet  before  his  company’s  Internet 
Explorer  is  displaced  as  the  world’s  dominant  Web  browser. 

“But  that  doesn’t  mean  there’s  nothing  meaningful  in  the  browser 
usage  trend  data  released  recently  by  WebSideStory.  According  to  the 
Web  analytics  firm,  users  of  the  Mozilla  and  pre-release  Firefox  open 
source  browsers  grew  to  6%  of  the  U.S.  online  populace  as  of  Oct.  29, 
up  from  3.5%  only  four  months  earlier. 

“That’s  a  solid  jump  from  a  modest  starting  point,  yes,  and  Microsoft 
still  commands  a  92.9%  market  share.  But  the  increased  open  source 
use  comes  almost  entirely  out  of  IE’s  hide  and  presages  nothing  but 


good  things  for  the  official  release  this  week  of  Firefox  1.0,  the  Mozilla 
project’s  almost  universally  acclaimed  entry  into  the  world  of  alterna¬ 
tive  browsers.” 

It’s  easy  to  forget  that  Microsoft  was  once  essentially  the  only  game 
in  town  (just  as  it’s  easy  to  forget  Netscape  Navigator  was  once  almost 
universally  acclaimed  as  the  better  of  the  two). 

Only  a  year  and  a  half  later,  there  was  this  April  5, 2006,  blog  post: 
“Firefox  has  topped  10%  in  the  latest  browser  market  share  report  from 
Net  Applications.  But  at  what  point  —  what  percentage  share  —  does 
Firefox  transition  from  ankle-biter  to  leg-breaker?  In  other  words,  what 
is  the  magic  number  for  Firefox  to  graduate  from  nuisance/media  dar¬ 
ling  to  a  genuine  threat  to  Microsoft’s  dominance  of  the  browser  mar¬ 
ket?  . . .  I’m  saying  20%. . . .  Anyone  want  to  offer  a  different  number?” 

Firefox  passed  that  20%  milestone  in  November  2008,  according 
to  NetApplications. 

The  initial  Chrome  beta  had  been  released  only  two  months  prior. 
Bottom  line:  There’s  plenty  of  life  left  in  Browser  War  II. 

Nice  idea,  but  about  that  name 

So  you’ve  written  an  application  that’s  intended  to  address  the  public- 
health  menace  that  is  distracted  driving.  The  app  reads  aloud  e-mail 
sent  to  your  iPhone  or  BlackBerry  so  that  you  can  keep  your  hands  on 
the  wheel  and  eyes  on  the  road. 

You  call  the  app  ...  Text’nDrive?  It’s  as  if  you  made  one  of  those 
Breathalyzer  ignition  locks  and  called  it  Drink’nDrive.  ■ 

I've  been  called  worse.  The  address  is  buzz@nww.com. 
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Coast-to-coast  network. 
Block-to-block  support. 


Introducing  CenturyLink™  Business 

Now  you  can  get  the  benefits  of  a  top-tier  national  network  without 
giving  up  expert  local  support.  CenturyLink  -  the  result  of  a  merger 
between  Century  Tel  and  EMBARQ  -  brings  you  the  best  of  both  worlds. 
So  you  can  count  on  us  for  the  technology,  resources  and  people  your 
business  needs  to  succeed. 


You're  Stronger  Connected  v  with  a  company  that  combines 
end-to-end  connectivity  with  face-to-face  support. 


Learn  more  at  centurylink.com/stronger 
or  call  1-866-345-0814. 


<  2010  CenturyTel,  Inc.  AM  Rights  Reserved. 

The  name  CenturyLink  and  the  pathways  logo  are  trademarks  of  CenturyTel,  Inc. 
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The  IBM  System  x3550  M3  Express. 

When  the  downturn  ends,  the  upside  begins. 


With  new  opportunities  ahead,  now  is  the  time  to  invest  in  a  faster,  more  powerful 
server:  the  IBM®  System  x3550  M3  Express®  server,  powered  by  the  Intel®  Xeon® 
processor  5600  series.  By  replacing  your  aging  servers,  the  x3550  M3  can  help  you 
reduce  operating  costs,  increase  efficiency  and  respond  to  customers  more  quickly. 


IBM  System  x3550  M3  Express 

$3,299 

or  $84/month  for  36  months1 
PN: 7944E2U 

1 U  dual-socket  server  featuring  up  to  2  Intel®  Xeon®  processor  5600  series 
18  DIMM  sockets  1333MHz  DDR-3  (18  RDIMMs,  144  GB  max) 


IBM  System  x3650  M3  Express 


$3,065 

or  $78/month  for  36  months1 
PN: 7945E2U 


2U  dual-socket  server  featuring  up  to  2  Intel®  Xeon®  processor  5600  series 


18  DIMM  sockets  1333MHz  DDR-3  (18  RDIMMs,  144GB  max) 


IBM  System  Storage  DS3200  Express 


$6,495 

or  $1 65/month  for  36  months1 
PN: 172622X 


External  Disk  Storage  with  3  Gbps  Serial  Attached  SCSI  (SAS)  interface  technology 
Scalable  up  to  7.2TB  of  storage  capacity  with  600GB  hot-swappable  SAS  disks 


See  for  yourself. 

See  how  much  you  could  be  saving-in  just  minutes- 
with  the  IBM  Systems  Consolidation  Evaluation  Tool. 


ibm.com/systems/performance 


1  866-872-3902 

(mention  6N8AH27A) 


'IBM  Global  Financing  offerings  are  provided  through  IBM  Credit  LLC  in  the  United  States  and  other  IBM  subsidiaries  and  divisions  worldwide  to  qualified  commercial  and  government  customers. 
Monthly  payments  provided  are  for  planning  purposes  only  and  may  vary  based  on  your  credit  and  other  factors.  Lease  offer  provided  is  based  on  an  FMV  lease  of  36  monthly  payments.  Other 
restrictions  may  apply.  Rates  and  offerings  are  subject  to  change,  extension  or  withdrawal  without  notice.  IBM  hardware  products  are  manufactured  from  new  parts  or  new  and  serviceable  used 
parts.  Regardless,  our  warranty  terms  apply.  For  a  copy  of  applicable  product  warranties,  visit  http://www.ibm.com/servers/support/machine_warranties.  IBM  makes  no  representation  or  warranty 
regarding  third-party  products  or  services.  IBM,  the  IBM  logo,  System  Storage  and  System  x  are  registered  trademarks  or  trademarks  ot  International  Business  Machines  Corporation  in  the  United 
States  and/or  other  countries.  For  a  complete  list  of  IBM  trademarks,  see  www.ibm.com/legal/copytrade.shtml.  Intel,  the  Intel  logo,  Xeon  and  Xeon  Inside  are  trademarks  of  Intel  Corporation  in  the 
U.S.  and  other  countries.  All  other  products  may  be  trademarks  or  registered  trademarks  of  their  respective  companies.  All  prices  and  savings  estimates  are  subject  to  change  without  notice,  may 
vary  according  to  configuration,  are  based  upon  IBM's  estimated  retail  selling  prices  as  of  5/1/10  and  may  not  include  storage,  hard  drive,  operating  system  or  other  features.  Reseller  prices  and 
savings  to  end  users  may  vary.  Products  are  subject  to  availability.  This  document  was  developed  for  offerings  in  the  United  States.  IBM  may  not  offer  the  products,  features,  or  services  discussed 
in  this  document  in  other  countries.  Prices  are  subject  to  change  without  notice.  Starling  price  may  not  include  a  hard  drive,  operating  system  or  other  features.  Contact  your  IBM  representative  or 
IBM  Business  Partner  for  the  most  current  pricing  in  your  geographic  area.  ©  2010  IBM  Corporation.  All  rights  reserved. 
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